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VOLUME  V 
IN  THE  UNITED  STATES  ARMY 

UNITED  STATES 
VS. 

MANNING,    Bradley  E.,    PFC  COURT-MARTIAL 
U.S.   Army,  xxx-xx-9504 

Headquarters  and  Headquarters  Company, 

U.S.   Army  Garrison, 

Joint  Base  Myer-Henderson  Hall, 

Fort  Myer,   VA  22211 

 / 

The  Hearing  in  the  above-entitled  matter  was 
held  on  Tuesday,   June  11,   2013,   commencing  at  9:30  a.m., 
at  Fort  Meade,  Maryland,   before  the  Honorable  Colonel 
Denise  Lind,  Judge. 
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DISCLAIMER 

This  transcript  was  made  by  a  court 
reporter  who  is  not  the  official  Government  reporter, 
was  not  permitted  to  be  in  the  actual  courtroom  where 
the  proceedings  took  place,  but  in  a  media  room 
listening  to  and  watching  live  audio/video  feed,  not 
permitted  to  make  an  audio  backup  recording  for 
editing  purposes,   and  not  having  the  ability  to 
control  the  proceedings  in  order  to  produce  an 
accurate  verbatim  transcript . 

This  unedited,   uncertified  draft 
transcript  may  contain  court  reporting  outlines  that 
are  not  translated,   notes  made  by  the  reporter  for 
editing  purposes,  misspelled  terms  and  names,  word 
combinations  that  do  not  make  sense,   and  missing 
testimony  or  colloquy  due  to  being  inaudible  to  the 
reporter . 
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APPEARANCES : 

ON  BEHALF  OF  THE  GOVERNMENT: 
MAJOR  ASHDEN  FEIN 
CAPTAIN  ALEXANDER  von  ELTEN 

ON  BEHALF  OF  THE  ACCUSED: 
DAVID  COOMBS 
MAJOR  THOMAS  HURLEY 
CAPTAIN  JOSHUA  TOOMA 
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PROCEEDINGS, 

THE  COURT:     Major  Fein,   please  account 
for  the  parties . 

MR.   FEIN:     Yes,   ma'am.     Your  Honor,  all 
parties  in  the  court  from  last  recess  are  again  present, 
exceptions  are  Captain  Overgaard  and  Captain  Morrow  are 
absent .     Captain  von  Elten  is  present . 

THE  COURT:     Are  there  any  issues  we  need  to 
address  before  we  proceed? 

MR.   FEIN:     Yes,   ma'am.     A  few  admin  issues. 
First,   this  morning  United  States  filed  what's  been 
marked  as  appellate  exhibit  566,   the  witness  list  order 
of  proposed  prosecution  witnesses .     That ' s  an  updated 
listing  from  the  previous . 

THE  COURT:     All  right.     Thank  you. 

MR.   FEIN:     Also,   ma'am,   as  of  0930  this 
morning  there  are  eleven  members  of  the  media  in  the 
media  operations  center .     There  are  two  stenographers . 
There's  no  one  presently  in  the  trailer,   although  the 
trailer  is  available  and  the  courtroom  is  not  filled  to 
capacity . 
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THE  COURT :     All  right .     Thank  you  very  much . 

MR.   COOMBS:     Ma'am,    I  would  like  to  put  on 
the  record  that  the  government  has  indicated  pretty  much 
from  this  day  forward  they'll  accommodate  the  request  of 
the  stenographers  to  have  one  come  in  the  morning,  one 
come  in  the  afternoon  session,   and  that  also  the 
stenographers  will  be  given  a  dedicated  pass  for  the 
media  operations  center. 

THE  COURT:      Is  that  correct? 

MR.   FEIN:     Yes,   ma'am.     Also,   the  United 
States '  understanding  is  that  the  court ' s  preference  or 
directive  is  that  one  of  the  70  spots  for  the  media  will 
actually  become  69  spots  and  a  stenographer  will  be  the 
70th  spot,   so  it  will  actually  not  be  a  media  spot,  it 
will  be  the  stenographer  spot .     That  way  the  public 
affairs  will  credential  69  positions,   not  70. 

THE  COURT:     That  is  actually  what  I  did 
direct  you  to  do.     Any  objection  to  that? 

MR.   COOMBS:     No  objection,   Your  Honor. 

THE  COURT:     Anything  else  we  need  to  address? 

MR .   COOMBS :     No ,   Your  Honor . 
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MR.   FEIN:     No,  ma'am. 

THE  COURT :     Please  call  your  next  witness . 

MR.   FEIN:     Ma'am,   prior  to  that  we're  going 
to  read  some  stipulations . 

THE  COURT:     Can  you  tell  me  who  those  are? 

THE  WITNESS:     Yes,   ma'am.     Ma'am,   the  first 
stipulation  is  Mr.   Peter  Artale,   prosecution  exhibit 
number  70.     The  next  is  Mr.   Chamberlin,  prosecution 
exhibit  71. 

THE  COURT:     Thank  you. 

MR.   FEIN:     Your  Honor,    stipulation  of 
expected  testimony  of  Mr.   Peter  Artale,   dated  9  June 
2013. 

It  is  hereby  agreed  by  the  Accused,  Defense 
Counsel,   and  Trial  Counsel,   that  if  Mr.  Peter. 
Artale  were  present  to  testify  during  the  merits  and 
pre-sentencing  phases  of  this  court-martial,   he  would 
testify  substantially  as  follows : 

One .      I  am  currently  employed  by  the  Army 
Counter-intelligence  Center,   ACIC,   with  the  902nd 
Military  Intelligence  Group  on  Fort  Meade,  Maryland. 
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ACIC  produces  finished  intelligence  products  for  the 
intelligence  community.     It  often  produces  these 
products  by  fulfilling  requests  for  information  from 
the  Army.      It  takes  finished  products  and 
disseminates  them  on  SIPRNET  and  JWICS . 

I  am  a  Web  Developer  and  the  Team  Lead  of 
a  team  of  three  software  developers .     I  have  worked 
in  this  capacity  and  for  ACIC  for  eight  years .  Prior 
to  this  position,    I  worked  in  web  development  for  the 
Defense  Intelligence  Agency,   DIA,    for  one  year,  then 
with  Booz  Allen  on  a  one  year  contract  with  National 
Geo-Spatial  Agency.     I  was  a  software  development 
engineer  and  programmer  in  the  Air  Force  for 
twenty— one  years .     I  retired  from  the  Air  Force  as  a 
Master  Sergeant.     I  also  have  an  Associate's  degree 
in  Computer  Science. 

Two .      I  first  became  involved  in  this 
case  on  approximately  17  March  2010  after  my  Branch 
Chief,  Ms.   Jessica  Johnson,   alerted  me  to  the 
compromise  of  U.S.   Government  information.  Ms. 
Johnson  asked  if  I  could  use  our  system  to  see  who 
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had  viewed  a  certain  product .     I  could,   as  I  had 
developed  custom  software  to  track  access  to 
particular  products.     This  software  captures  the 
viewer  credentials  by  recording  the  Internet  Protocol 
(IP)   address  and  date/time  of  access  for  each  user 
who  views  our  ACIC  work  product.     It  then  assigns  a 
unique  report  key  to  the  access  event .     This  occurred 
before  we  were  contacted  by  law  enforcement  in  this 
case,   as  ACIC  was  notified  of  the  compromise  of  one 
of  our  products  in  March  2010. 

Three.     An  IP  address  is  part  of  the 
Transmission  Control  Protocol /Internet  Protocol 
(TCP/IP) .     A  protocol  is  the  standard  language  used 
to  communicate  over  a  network.     TCP/IP  is  the  most 
common  "language"  that  computers  use  to  communicate 
over  the  Internet  and  so  an  IP  address  is  the  method 
of  identifying  a  specific  computer  on  a  network. 
Only  one  computer  can  be  assigned  a  specific  IP 
address  at  one  time .     Knowing  an  IP  address  allows  us 
to  know  which  computer  on  a  given  network  used  our 
products . 
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Our  software  is  a  custom  product  which, 
in  capturing  this  user  and  access  information, 
produces  metrics  which  can  be  used  to  see  which  of 
our  products  are  most  popular  and  how  our  products 
are  used.     The  software  only  logged  views  of  the 
document  in  the  ".asp"  format  which  is  the  standard 
way  the  product  would  appear  on  the  website,  ".asp" 
is  a  common  file  format  for  web  pages.     This  means 
that  the  software  only  logged  views  of  the  web 
version  of  the  document  and  not  the  views  of  the 
" .pdf "  or  ".doc"  version  of  the  document.  Likewise, 
the  logs  do  not  indicate  whether  the  document  was 
printed  or  saved,   nor  do  they  indicate  how  long  an 
individual  looked  at  the  document,   if  at  all.  We 
collect  this  data  normally  so  we  can  analyze  it  to 
see  where  we  need  to  allocate  our  development  and 
maintenance  resources  to  best  support  our  internal 
and  external  customers .     The  information  produced  by 
the  tracking  software  is,   therefore,   called  metrics. 

Four .     The  metrics  are  pulled  when  an 
engineer  runs  a  certain  query .     These  queries  can  be 
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customized  to  pull  only  the  information  the  developer 
wants  to  see.     In  this  case,   we  were  specifically 
interested  in  tracking  every  access  to  a  product 
titled  "WikiLeaks . org-An  Online  Reference  to  Foreign 
Intelligence  Services,    Insurgents,   or  Terrorists 
Groups?"     Therefore,    I  searched  the  product  by 
determining  and  searching  for  its  product 
identification  number,   which  is  "RB08-0617" .  The 
product  identification  number,   which  is  on  the 
document  itself  and  assigned  internally  by  ACIC,   is  a 
identifier  unique  to  each  ACIC  product . 

Five .     This  ACIC  product  "WikiLeaks . org- 
An  Online  Reference  to  Foreign  Intelligence  Services, 
Insurgents,   or  Terrorists  Groups?"  is  housed  on  our 
website  at  "acic.north-inscom.anny.smil.mil"  and  is 
accessible  only  via  a  classified  network,   such  as 
SIPRNET.      I  wrote  a  custom  query,   by  IP  address  and 
visit  time,   to  see  every  time  this  particular 
document  was  pulled  from  the  web  server.     A  custom 
query  is  a  method  of  pulling  information  from  a 
Database .     I  pulled  these  metrics  from  my  own 
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workstation.     The  data  is  automatically  pulled  into  a 
Structured  Query  Language    (SQL)   table.     SQL  is  a 
computer  language  for  extracting  and  inserting 
information  in  a  database.     It  is  a  standard  computer 
language  to  interact  with  databases .     Printouts  of 
SQL  queries  look  like  an  Excel  spreadsheet  in  that  it 
has  columns  and  rows;   however,   it  is  not  as  easy  to 
search  and  organize  as  an  Excel  spreadsheet.  I, 
therefore,   digitally  cut  and  pasted  the  information 
from  the  SQL  table  into  an  Excel  spreadsheet  and 
saved  the  data  to  my  desktop. 

I  then  organized  the  spreadsheets  in  two 
separate  manners.     The  first  set  is  organized  by 
visit  date.     The  second  is  organized  by  IP  address 
and  then  visit  date.     I  did  not  alter  the  content  of 
the  data  in  any  way  when  searching  for  the  data, 
moving  it  from  the  SQL  table  to  the  Excel 
spreadsheet,   or  while  in  the  Excel  spreadsheet.  I 
moved  the  information  and  organized  it  in  two 
separate  manners  because  it  was  easier  to  read.  I 
then  emailed  the  metric  data  to  my  leadership  at  ACIC 
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as  requested. 

The  data  is  stored  securely  on  our 
servers  and  is  only  accessible  to  the  other  three  web 
developers  on  my  team.     I  have  no  reason  to  believe 
anyone  else  would  have  modified  the  logs  in  any  way. 
This  occurred  before  we  were  contacted  by 
investigators  involved  in  this  case,   as  ACIC  was 
notified  of  the  compromise  of  one  of  our  products  in 
March  2010. 

Six.      In  this  case,   the  ACIC  document 
concerned  was  posted  in  2008.     I  pulled  the  metric 
data  tracking  access  to  this  document  on  17  March 
2010.     The  most  recent  access  date  listed  in  the 
metric  data  is  16  March  2010.     The  data  returned 
included  view  hits  on  the  document  up  until  the 
morning  I  ran  the  data  query.     The  logs  are  broken 
down  by  record  key,   IP  address,   and  visit  date. 

Specifically,   the  metrics  tell  me  the 
following  about  the  user  IP  addresses  who  opened  the 
website  containing  the  product  with  a  product 
identification  number  of  RB08-0617  in  the  web  page 
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format:     A  user  with  the  IP  address  22.225.41.40 
opened  the  web  page  on  1  December  2009  at  6:31  PM;  a 
user  with  the  IP  address  22.225.41.40  opened  the  web 
page  on  29  December  2009  at  2:40  PM;   a  user  with  the 
IP  address  22.225.41.40  opened  the  web  page  on  1 
March  2010  at  6:40  PM;   and  a  user  with  the  IP  address 
22.225.41.22  opened  the  web  page  on  7  March  2010  at 
11:31  PM. 

Seven.     The  data  for  these  metrics  is 
collected  by  our  custom  software  automatically  when 
someone  clicks  on  one  of  our  links  to  use  our  ACIC 
work  product.     This  system  captures  the  time,  date, 
and  IP  address  as  well  as  which  product  is  being 
accessed  and  served  out  to  the  requester.     We  know 
this  data  is  accurate  because  there  is  no  human 
intervention  into  the  process  and  because  views  are 
logged  using  specific  codes  and  for  specific 
products . 

Finally,   while  it  is  possible  to  make 
manual  insertions  in  metric  data  output,  those 
insertions  cannot  be  backdated  or  over-written.  This 
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means  whatever  output  data  the  system  produces  cannot 
itself  be  altered.     Furthermore,   at  the  time  I  pulled 
these  logs,   I  did  not  know  to  whom  the  IP  addresses 
were  attached  or  the  reasons  for  which  the  data  was 
being  pulled.      I  had  neither  the  motivation  nor 
knowledge  required  to  alter  the  document .     At  no 
point  prior  to  pulling  the  metric  log  data,  while 
pulling  the  information,   or  after  securing  it,   did  I 
ever  alter  the  data  in  any  way. 

Eight .     My  Branch  Chief  forwarded  my 
email  with  these  metrics  to  Mr.   Winston  Budram,  S-6 
and  Chief  Information  Officer  of  the  902nd  MI  Group. 
Mr.   Budram  forwarded  the  metrics  to  investigators 
after  they  contacted  our  office. 

Prosecution  Exhibit    (PE)    63  for 
identification  is  the  paper  copy  of  these  logs .  PE 
63  for  ID  is  a  printout  of  the  complete  logs  that  I 
pulled.      I  put  the  title  "Views  of  ACIC  Product 
RB08-0617 . asp"  on  the  top  of  the  Excel  spreadsheet. 
The  title  is  based  on  the  ACIC  product  identification 
number  and  the  format  of  the  document .     On  the  left 
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side  of  every  page  are  the  logs  that  I  pulled  and 
organized  by  visit  date.     On  the  right  side  of  every 
page  are  the  logs  that  I  pulled  and  organized  by  IP 
address  and  then  visit  date. 

I  believe  the  information  on  the  top  of 
the  page    ("Views  of  ACIC  Product  RB08-0617 . asp" ; 
"Record  Key";    "IP  Address";   and  "Visit  Date"),  which 
is  the  same  as  the  title  and  heading  information  on 
the  spreadsheets  that  I  pulled,   was  automatically 
produced  by  Excel  when  the  spreadsheets  were  printed. 

Nine .      I  am  the  custodian  of  the  records 
marked  as  PE  63  for  ID  and  an  employee  familiar  with 
the  manner  and  process  in  which  these  records  are 
created  and  maintained,  by  virtue  of  my  duties  and 
responsibilities .     PE  63  for  ID  was  made  at  or  near 
the  time  of  the  occurrences  of  the  matters  set  forth 
by  or  from  information  transmitted  by,   people  with 
knowledge  of  these  matters .     PE  63  for  ID  was  kept  in 
the  course  of  regularly  conducted  business  activity. 
It  was  the  regular  practice  of  the  business  activity 
to  make  the  records .     The  records  marked  as  PE  63  for 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 


17 

ID  are  a  true,   accurate,   and  complete  copy  of  the 
original  documents. 

Your  Honor,   the  United  States  moves  to 
admit  PE  63  for  ID  as  PE  63. 

MR.   HURLEY:     No  objection,  ma'am. 

THE  COURT :     All  right .     Prosecution  exhibit 
63  is  admitted.     May  I  see  it,  please? 

Thank  you. 

MR.   FEIN:     Ma'am,    stipulation  of  expected 
testimony  of  Mr.   Shawn  Chamberlin  dated  9  June  2013. 

It  is  hereby  agreed  by  the  Accused,  Defense 
Counsel,   and  Trial  Counsel,   that  if  Mr.   Sean  Chamberlin 
were  present  to  testify  during  the  merits  and 
pre-sentencing  phases  of  this  court-martial,   he  would 
testify  substantially  as  follows : 

One.      I  am  a  Systems  Administrator  for  the  S6 
shop  of  the  902nd  Military  Intelligence    (MI)    Group  on 
Fort  Meade,   Maryland.     The  902nd  MI  Group  performs 
counterintelligence  functions .     My  section  is 
responsible  for  providing  IT  support  for  all  unit 
servers.     In  this  capacity,   I  build  new  servers  and 
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maintain  old  ones .      I  have  worked  in  this  capacity 
for  ten  years .     Before  that  I  was  active  duty 
military  for  nine  years  and  was  a  Staff  Sergeant  when 
I  left  the  Army. 

For  the  last  five  of  my  nine  years  of 
active  duty  service,    I  had  the  Military  Occupational 
Specialty   (MOS)    33W,   which  is  Intercept  Electronic 
Warfare  Systems  Repair.     In  that  capacity,   I  was  a 
systems  administrator .     To  fulfill  my  current 
function,    I  have  received  Security  Plus  training  and 
have  certifications  in  numerous  Microsoft  server 
types .     I  also  hold  a  Bachelor ' s  degree  in 
Information  Systems  from  the  University  of  Phoenix. 

Two .      I  first  became  involved  in  the 
present  case  in  July  of  2011  when  my  supervisor  Mr. 
Robert  Conner,   the  Site  Lead  for  Information 
Technology  at  the  902nd  MI  Group,   requested  that  I 
pull  Microsoft  Internet  Information  Services    (MI IS) 
web  server  audit  event  logs  for  the  contacting  IP 
addresses  22.225.41.22  and  22.225.41.40  between  the 
dates  November  2009  and  May  2010.     MIIS  are 
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application  logs  that  are  specific  to  the  web  server. 
Audit  logs  are  a  record  of  the  activity  that  occurs 
on  the  server  and  enable  system  administrators  like 
me  to  track  what  users  do  on  the  website .     Audit  logs 
contain  data  that  is  automatically  written  to  them  on 
a  daily  basis . 

Here,   the  audit  logs  record  file  activity 
on  a  web  server  from  the  United  States  Government 
computer  assigned  to  the  IP  address  199.32.48.154,  is 
a  computer  dedicated  to  processing  classified 
information  at  the  SECRET  level.     This  is  the  IP 
address  for  the  ACIC  website  on  SIPRNET. 

Three .     This  data  shows  what  IP  addresses 
accessed  our  system  within  that  date  range.     An  IP 
address  is  part  of  the  Transmission  Control 
Protocol/ Internet  Protocol    (TCP/IP) .     A  protocol  is 
the  standard  language  used  to  communicate  over  a 
network.     TCP/IP  is  the  most  common  "language"  that 
computers  use  to  communicate  over  the  Internet .  An 
IP  address  is  the  method  of  identifying  a  specific 
computer  on  a  network . 
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Four.     An  IP  address  allows  us  to  know 
which  computer  on  a  given  network  accessed  our 
server.     In  this  case,   I  pulled  eighteen  log  files 
for  the  above  IP  address  and  date  range.     The  files 
are  named  the  following:   ex091119.log;  ex091201.log; 
ex091214.log;   ex091217.log;  ex091221.log; 
ex091229.log;   exl00207.log;  exl00209.log; 
exl00211.log;   exl00214.log;  exl00301.log; 
exl00302.log;   exl00308.log;  exl00315.log; 
exl00316.log;   exl00317.log,  which  is  the  automatic 
naming  convention  of  Microsoft  based  on  date . 

The  files  display  in  text  format.  The 
files  contain  86  entries  for  the  IP  address  of 
22.225.41.22  and  28  entries  for  the  IP  address  of 
22.225.41.40.     The  first  entry  for  22.225.41.22  or 
22.225.41.40  is  19  November  2010. 

Five .     These  logs  are  on  our  external  web 
server,   which  is  one  of  the  servers  I  am  responsible 
for  maintaining.     The  web  server  and  the  logs  are 
located  in  what  is  commonly  referred  to  as  the 
"DMZ",   which  is  the  area  between  our  internal  system 
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and  the  SIPRNET.      I  pulled  the  data  using  a  search 
window  and  searching  the  IP  address  for  the  given 
date  range .     Then  I  searched  for  the  two  requested  IP 
addresses .     I  then  put  the  files  into  an  internal 
investigation  folder  and  had  them  burned  to  a  disc.  I 
looked  at  the  disc  to  verify  that  they  were  the  logs 
that  I  pulled. 

Six.      I  am  familiar  with  these  logs 
because  of  my  work  as  a  systems  administrator.  After 
I  pulled  the  logs,   they  were  burned  onto  a  rewritable 
disc  by  another  individual .     I  reviewed  the  contents 
of  the  disc  to  ensure  it  contained  the  logs  that  I 
pulled.     The  disc  labeled  "Log  Files  902nd  MI 
20  11-0006"  contain  the  logs  that  I  pulled. 
Prosecution  Exhibit  64  for  Identification  is  a  copy 
of  this  disc.   I  attested  to  the  authenticity  of  these 
logs  on  21  June  2012,   BATES  number:    0044  9439.  I 
pulled  the  logs  from  the  server  and  did  not  alter  the 
content  of  the  logs  in  any  way.   I  have  no  reason  to 
believe  anyone  else  would  have  modified  the  logs  in 
any  way  while  they  are  on  the  server  as  permissions 
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to  the  "DMZ"  are  very  limited. 

Your  Honor,   the  United  States  moves  to 
admit  prosecution  exhibit  64  for  identification  as 
prosecution  exhibit  64 . 

MR.   HURLEY:     Ma'am,   we  have  no  objection  to 
that.     May  I  have  a  second  to  speak  with  Major  Fein? 

THE  COURT:  Yes. 

MR.   FEIN:     Your  Honor,   the  United  States 
requests  a  brief  in  place  recess . 

THE  COURT:     Go  ahead.     We're  not  actually 
recessing  the  court,    I'm  going  to  let  you  do  what  you 
need  to  do. 

MR.   FEIN:     Yes,  ma'am. 
(BRIEF  PAUSE . ) 

MR.   FEIN:     Ma'am,    I  have  retrieved 
prosecution  exhibit  71  and  consulted  with  defense  counsel 
and  there  has  been  one  modification  to  the  stipulation  of 
expected  testimony.      I  handed  the  court  reporter  PE  71 
and  I  would  direct  the  court  to  page  two . 

Your  Honor,   the  top  of  page  two  at  the  end  of 
the  first  paragraph  or  the  first  partial  paragraph,  the 
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date  19  November  2010  has  been  modified  to  19  November 
2009,   and  the  accused's,  Major  Hurley's  and  Major  Fein's 
initials  are  annotated  on  that  change. 

THE  COURT:     All  right.     Major  Hurley,  does 
the  defense  agree  with  this  change? 

MR.   HURLEY:     Yes,  ma'am. 

THE  COURT:     PFC  Manning? 

THE  ACCUSED:     Yes,  ma'am. 

MR.   Von  ELTEN:     Ma'am,   the  United  States 
calls  Matthew  Hosburgh. 

THE  COURT:     May  I  see  prosecution  exhibit  64? 
I  think  I  still  need  to  admit  that.     Is  that  better  done 
at  a  recess? 

MR.   FEIN:     Yes,   ma'am,  64. 
THE  COURT:     Prosecution  exhibit  64  for 
identification  is  admitted. 

Excuse  me,   Captain  von  Elten,   who  is  the  next 

witness? 

MR.   Von  ELTEN:     Matthew  Hosburgh. 
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Whereupon : 

MATTHEW  HOSBURGH, 
called  as  a  witness,   having  been  first  duly  sworn 
according  to  law,   testified  as  follows: 

DIRECT  EXAMINATION 

BY  MR.   Von  ELTEN: 

Q.  For  the  record,   you're  Sergeant  Matthew 

Hosburgh  of  Denver,  Colorado? 

A.  Staff  sergeant. 

Q.  Where  do  you  work? 

A.  I'm  currently  working  for  an  oil  and  gas 

company  in  Denver,  Colorado. 

Q.  And  what  do  you  do  there? 

A.  I  do  their  IT  security. 

Q.  And  what  does  that  entail? 

A.  It  entails  monitoring  the  networks  as  well  as 

threat  and  vulnerability  research. 

Q.  And  how  long  have  you  been  in  this  position? 

A.  I've  been  there  for  about  two  months  now,  sir. 

Q.  And  what  was  your  position  prior  to  that? 

A.  Prior  to  that  I  was  a  government  contractor 
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where  I  did  basically  the  same  type  of  work  for 
citizenship  and  immigration. 

Q.  And  what  department  does  citizenship  and 

immigration  reside  in? 

A.  Department  of  Homeland  Security. 

Q.  And  how  long  were  you  there? 

A.  I  was  there  for  three  years. 

Q.  And  how  was  the  work  similar;   what  did  you  do? 

A.  Same  type  of  thing,   monitoring  networks, 

looking  for  threats,   vulnerabilities  and,   yeah,  that's 
basically  it . 

Q.  And  what  did  you  do  prior  to  that? 

A.  Prior  to  that  I  was  on  active  duty  in  the 

Marine  Corps . 

Q.  And  for  how  long  were  you  on  active  duty? 

A.  For  eight  years. 

Q.  What  was  your  MOS  in  the  Marine  Corps? 

A.  I  was  a  2651. 

Q.  What  is  that? 

A.  It ' s  a  special  intelligence  system 

administrator . 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 

26 

Q .  What  training  did  you  receive  in  that 

position? 

A.  I  received  numerous  military  schools  as  well 

as  civilian  IT  security  related  courses . 

Q.  And  what  kind  of  things  did  that  schooling 

teach  you? 

A.  Everything  from  system  administration, 

servers,   networks,   to  security,   basic  security  and  things 
of  that  nature . 

Q.  What  kind  of  work  did  being  a  2651  entail? 

A.  Kind  of  ran  the  gamut  as  far  as  anything  from, 

you  know,   managing  servers  and  network  equipment  to 
information  assurance  and  security  accreditation  and 
threat  and  vulnerability  research. 

Q.  What  kind  of  systems  did  you  work  on? 

A.  Worked  primarily  on  classified  network 

systems,   servers  and  networks  of  that  nature. 

Q.  And  what  kind  of  work  did  you  do  on  those 

classified  systems? 

A.  Managed  the  systems,   provided  access  to  our 

users  as  well  as  I  was  in  charge  of  the  security  of  those 
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systems,   so  we  had  to  basically  apply  policy  to  those 
systems  as  well  as  manage  the  vulnerabilities  and  risks 
that  the  systems  faced. 

Q.  What  year  did  you  leave  active  duty? 

A.  2010. 

Q.  What  is  your  current  military  status? 

A.  I'm  a  reservist. 

Q.  When  did  you  join  the  reserves? 

A.  I  joined  in  July  of  2012. 

Q.  What  do  you  do  in  the  reserves? 

A.  I  have  the  same  MOS  so  I  do  the  same  type  of 

general  work,   but  I'm  currently  working  as  a  network 
analysis  or  I'm  a  network  analyst. 

Q.  Let's  talk  a  little  bit  about  a  report  you 

wrote.     Where  were  you  stationed  in  late  2009,  early 
2010? 

A.  I  was  in  Stuttgart,  Germany. 

Q.  And  what  were  you  doing  there? 

A.  I  had  been  stationed  there,   started  out  in 

2006. 

Q.  Do  you  remember  attending  a  conference? 
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A.  Yes,  sir. 

Q.  What  was  the  conference  called? 

A.  It  was,   the  title  of  the  conference  was  called 

here  be  dragons . 

Q.  And  who  hosted  the  conference? 

A.  It  was  hosted  by  the  Chaos  Computer  Club. 

THE  COURT:     What  dragons? 

THE  WITNESS :     Here  be  dragons . 
Q.  How  else  is  the  Chaos  Computer  Club  referred 

to? 

A.  It's  either  known  as  CCC  or  C3 . 

Q.  How  did  you  know  about  C3? 

A.  Through  my  research  that  I  was  doing  just 

trying  to  stay  ahead  of  security  threats,   I  noticed  that 
the  conference  was  basically  in  our  neck  of  the  woods  and 
that ' s  how  I  found  out  about  it . 

Q.  And  where  was  the  conference? 

A.  It  was  in  Berlin. 

Q.  And  when  did  the  conference  occur? 

A.  It  was  roughly  the  26th  of  December,  2009 

through  the  30th,    if  I  remember  correctly. 
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Q.  What  is  the  C3  conference? 

A.  So  the  C3  conference  essentially,  what  it 

actually  stands  for  is  the  Chaos  Communication  Congress. 
It ' s  a  conference  that  basically  combines  or  brings 
together  people  throughout  the  hacker  community,  security 
researchers  and  just  random  people,   brings  them  all 
together  and  they  talk  about  various  topics  ranging  from 
security,   hacking,   political  issues.      I  mean  you  name  it 
and  it ' s  probably  there . 

Q.  And  how  often  is  it  held? 

A.  It's  held  yearly. 

Q.  And  why  did  you  attend? 

A.  I  attended,   it  was  an  opportunity  to  not  only 

attend  a  conference  that  could  potentially  I  guess  show 
some  security  vulnerabilities  that  we  might  be  able  to 
apply  to  our  command,   but  is  also  local  and  we  had  some 
extra  funds  to  go  travel  and  go  to  that  conference,   so  — 

Q.  How  many  days  was  the  conference? 

A.  I  believe  it  was  five  days. 

Q.  And  how  many  days  did  you  attend? 

A.  I  was  there  for  four  days.     One  day  was  for 
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travel . 

Q.  How  many  people  attended  the  conference? 

A.  Roughly  about  three  to  5,000,   I  believe. 

Q.  What  kind  of  facility  hosted  the  conference? 

A.  It  was  your  standard  just  conference  center, 

multiple  rooms  that  could  host  various  talks  and 
presentations . 

Q.  And  where  were  the  featured  presentations 

given? 

A.  The  featured  presentations?     Those  were 

reserved  for  the  bigger  rooms  of  the  conference  center. 

Q.  And  about  how  big  was  the  bigger  room,  how 

many  people  did  it  seat? 

A.  How  many  people?     Okay.     Roughly  maybe  five  to 

a  thousand  people . 

Q.  500  to  a  thousand  people? 

A.  I'm  sorry.     500,   yes,  sir. 

Q.  What  were  some  of  the  main  presentations? 

A.  Some  of  the  main  presentations  I  recall 

offhand  they  were  talking  about,   one  of  the  big  ones  was 
WikiLeaks,   they  talked  about  net  neutrality,   Tor  came  up. 
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They  talked  about  various  topics  related  to  GSM  cellphone 
networks.     A  few  others,    I  just  can't  recall  off  the  top 
of  my  head. 

Q.  And  what  language  were  the  talks  given  in? 

A.  They  were  given  in  English  and  some  of  them 

were  also  in  German. 

Q.  Let's  talk  a  little  bit  about  the  net 

neutrality  presentation.     How  many  speakers  gave  that 
presentation? 

A.  I  recall,    I  believe  there  was  two  speakers  for 

that  one.     One  main  presenter  though. 

Q.  And  how  long  did  the  presentation  last? 

A.  That  was  about  an  hour  if  I  remember  that  one 

right . 

Q.  And  what  is  net  neutrality? 

A.  Well,   net  neutrality,   the  way  I  see  it  is  a 

way  to  keep  the  Internet  open  and  free  as  far  as 
preventing  any  issues  or  ISPs,    Internet  service  providers 
from  regulating  it.     So  their  issue  or  their  whole  talk 
was  about  we  need  to  keep  the  Internet  open  and  free 
instead  of  having  various  tiers  of  regulation  on  the 
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Internet . 

Q.  And  what  was  the  purpose  of  the  presentation? 

MR.   HURLEY:     Objection,   ma'am.  Hearsay. 
THE  COURT:     Establish  a  foundation  and  his 
personal  knowledge . 

MR.   Von  ELTEN :      It  goes  to  the  effect  on 

listener . 

THE  COURT:     What  was  the  question? 

MR.   Von  ELTEN:     What  was  the  purpose  of  the 

presentation? 

THE  COURT:     Ask  for  the  foundation  of 
knowledge.     How  does  he  know  that? 
BY  MR.   Von  ELTEN: 

Q.  How  do  you  know  that? 

A.  How  do  I  know  what  the  purpose  is?  Because 

there ' s  a  summary  of  the  talk  before  I  went  and  I  had 
done  some  research  about  that  topic. 

Q.  And  where  — 

THE  COURT:  Overruled. 

Q.  Are  where  did  you  do  your  research? 

A.  Research  just  on  the  open  Internet. 
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Q.  And  what  was  the  purpose  of  the  presentation 

A.  It  was  more  about  awareness,    I  remember  that 

one.      It  was  in  English.     The  speaker  was  making  a  case 
for  global  open  Internet,   but  specifically  for  some  of 
the  issues  coming  up  in  France  at  the  time. 

MR.   HURLEY:     Again,   ma'am,   hearsay.  He's 
just  repeating  what  the  presenter  told  him. 

THE  COURT:     What  are  you  offering  it  for? 
MR.   Von  ELTEN :      I'm  offering  it  for,   it  goe 
to  explain  why  he  wrote  his  report . 

THE  COURT:  Overruled. 
BY  MR.   Von  ELTEN: 

Q.  Let's  talk  about  the  WikiLeaks  presentation. 

What  room  was  that  in? 

A.  It  was  in  one  of  the  larger  conference  rooms 

Q.  About  how  many  people  attended  the  talk? 

A.  That  one  was  probably  closer  to  a  thousand, 

remember  it  being  pretty  full . 
Q.  Who  gave  the  talk? 

A.  The  talk  was  given  by  Julian  Assange . 

Q.  And  how  long  did  Mr.   Assange  speak? 
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A.  It  was  about  an  hour  or  so. 

Q.  And  how  was  the  talk  relevant  to  your  work  at 

the  time  in  the  Marines? 

A.  It  was  relevant  in  the  sense  that  I  worked 

with  classified  information  at  the  time. 

Q.  And  what  was  the  purpose  of  the  talk? 

A.  The  main  purpose  of  the  talk  was  really  to 

explain  what  WikiLeaks  was  and  the  launch  of  their, 
basically  their  new  site  is  what  I  got  from  it.  They 
talked  about  what  their  intentions  were  and  then 
basically  what  the  system  provided. 

Q.  And  what  were  their  intentions? 

A.  The  intentions  were  they  basically  were 

eliciting  support  from  the  audience  and  then  I  guess 
anybody  listening  to  the  conference  to  leak  any  type  of 
information,   not  only  classified  information  but 
proprietary  trade  secrets,   anything  of  that  nature. 

Q.  I  am  retrieving  prosecution  exhibit  43  for 

identification,   hand  this  to  the  witness. 

Do  you  recognize  the  document  I've  handed 

you? 
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A.  Yes,  sir. 

Q.  What  is  it? 

A.  This  is  my  trip  report,   after  action  report 

wrote  after  I  came  back  from  the  conference. 
Q.  When  did  you  write  it? 

A.  I  wrote  it  approximately  a  week  after. 

Q .  How  do  you  know  it ' s  your  report  ? 

A.  Well,    it  has  my  name  on  it  and  it's  in  the 

format  I'm  used  to. 

Q.  Where  did  you  submit  it? 

A.  Where  did  I  submit  it?     I  submitted  it  to 

basically  my  chain  of  command  when  I  got  back. 

Q.  Retrieving  prosecution  exhibit  43  for 

identification . 

Retrieving  prosecution  exhibit  85 . 
Would  you  please  take  a  minute  to  review 
1A12?     I  believe  it's  on  the  second  page. 
A .  Okay . 

Q.  How  often  were  your  reports  posted  online? 

A.  How  often  were  they  posted?     Good  question 

because  we  had  just  implemented  a  new  system,   so  we 
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didn ' t  really  have  a  frequency  of  necessarily  posting 
them,   a  standard  procedure  for  that .     Since  that  new 
system,   it  was  kind  of  became  a  de  facto  practice  of 
posted  after  the  trip. 

Q.  And  where  were  they  posted? 

A.  We  posted  to  a  Sharepoint  portal. 

Q.  And  what  was  the  address  of  that  Sharepoint 

portal? 

A.  It  was  something  along  the  lines  of  M  F  E  dot 

USMC  dot  smil  dot  mil .     And  then  your  various  section  be 
denoted  by  a  G  representing  and  then  a  number. 

Q.  Is  that  approximately  the  address    (INAUDIBLE) ? 

A.  Yes,  sir. 

MR.   Von  ELTEN:     Retrieving  prosecution 

exhibit  85. 

Your  Honor,   the  United  States  would  move  to 
enter  prosecution  exhibit  43  for  identification  into 
evidence . 

MR.  HURLEY:  No  objection,  ma'am. 
THE  COURT:  May  I  see  it,  please? 
Prosecution  exhibit  43  for  identification  is 
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admitted. 

BY  MR.   Von  ELTEN : 

Q.  Let's  talk  a  little  bit  about  this  report. 

How  did  you  organize  the  report? 

A.  I  organized  it  basically  chronologically  so 

the  talks  I  went  to,   that's  the  first  talk,   and  then  so 
on  and  so  forth  throughout  the  report . 

Q.  What  information  did  you  put  in  the  summary 

section? 

A.  The  summary  was  generally  a  description 

basically  from  the  conference  itself,  and  then  if  there's 
anything  I  needed  to  add  to  make  it,  to  make  it  make  more 
sense  to  my  chain  of  command. 

Q.  And  what  was,   how  did  you  construct  the 

sections? 

A.  The  analysis  was  based  off  of  some  of  the 

analytical  work  I  had  done  in  our  section  and  also  trying 
to  make  that  analysis  fit  within  our  organization 
basically . 

Q.  What  was  the  purpose  of  the  counter  measure 

section? 
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A.  That  was  basically  —  the  purpose  behind  that 

was  to  identify  if  there  was  a  potential  threat,  security 
threat  that  maybe  we  were  vulnerable  to,   and  then  to  see 
if  we  could  actually  fix  it,   fix  that  vulnerability. 

Q.  What  was  the  purpose  of  drafting  this  report? 

A.  To  basically  summarize  the  trip  so  I  could 

show  the  command  actually  what  I  did  there,  and  then  also 
to  raise  some  awareness  as  far  as  what  the  issues  I  found 
there  were . 

MR.   Von  ELTEN :     Thank  you.     No  further 
questions,   Your  Honor. 

THE  COURT:     Cross  examination. 
MR.   HURLEY:     Yes,  ma'am. 
CROSS  EXAMINATION 

BY  MR.  HURLEY: 

Q.  Staff  Sergeant  Hosburgh,   good  morning. 

A.  Good  morning,  sir. 

Q.  When  it  comes  to  the  document  that  you  were 

just  discussing  with  Captain  von  Elten,   that's  a  document 
that  you  wrote? 

A.  Yes,  sir. 
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Q.  By  yourself? 

A.  Yes,  sir. 

Q.  And  it  appears  to  be  a  reflection  of  your  time 

spent  at  this  conference  that  you  discussed  with  Captain 
von  Elten? 

A.  Yes,  sir. 

Q.  It  was  rendered  chronologically? 

A.  Yes,  sir. 

Q.  The  first  thing  that  you  covered  was  net 

neutrality? 

A.  Yes,  sir. 

Q.  Then  WikiLeaks? 

A.  Yes,  sir. 

Q.  Then  you'll  forgive  my  computer  ignorance, 

exposing  crypto  bugs  through  reverse  engineering? 
A.  Yes,  sir. 

Q.  And  that  was  followed  by  some  other  more 

technical  topics  of  the  conversation? 
A.  Yes,  sir. 

Q.  And  you  started  with  paragraph  one,   as  you 

were  writing  you  started  with  paragraph  one? 
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A.  Yes. 

Q.  And  you  wrote  your  report  chronologically  as 

well? 

A.  Chronologically,   yes,  sir. 

Q.  In  your  discussion  of  net  neutrality  you 

mentioned  terrorist  use  of  the  Internet? 
A.  Yes,  sir. 

Q.  And  you  mentioned  that  in  paragraph  one? 

A.  Yes. 

Q.  In  your  discussion  of  WikiLeaks  you  did  not 

mention  terrorism  or  terrorist  use  of  that  site,  correct? 
A.  Correct,  sir. 

Q.  Now,    let's  talk  about  WikiLeaks;   the  presenter 

you  said  was  Julian  Assange? 
A.  Yes,  sir. 

Q.  And  he  did  not  mention  terrorism  in  his 

presentation? 

A.  Not  that  I  can  recall,  sir. 

Q.  Or  a  desire  to  help  terrorists? 

A.  No,  sir. 

Q.  That  would  have  been  reflected  in  your  report? 
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A.  Yes,  sir. 

Q.  WikiLeaks  was  focused  on  the  public  and  the 

public 1 s  access  to  information? 
A.  Yes,  sir. 

Q.  Insuring  openness? 

A.  Yes,  sir. 

Q.  And  keeping  the  public  well  informed? 

A.  That's  what  he  said,   yes,  sir. 

Q.  And  it  wasn't  exclusively  focused  on  the 

United  States? 

A.  It  wasn't.     They  did  mention,   there  was  more 

of  an  emphasis  for  classified  information,  however. 

Q.  But  it  wasn't  exclusively  focused  on 

classified  information? 

A.  Correct,  sir. 

Q.  They  were  interested  in  trade  secrets? 

A.  Yes,  sir. 

Q.  And  other  corporate  information? 

A.  Yes. 

Q.  So  you  mentioned,   let's  go  back  to  that 


paragraph  one,   terrorists  and  the  use  of  the  Internet. 
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You  indicated  that  terrorists  use  the  Internet? 
A.  Yes,  sir. 

Q.  To  communicate  with  each  other? 

A.  Yes. 

Q.  You  indicated  that  an  open  Internet  allows  for 

hidden  communication? 

A.  I  believe  I  recall  that,  sir. 

Q.  It's  sort  of  a,   you  created  this  idea  that  an 

open  network  allows  for  terrorist  communication  on  the 
Internet . 

A.  Yes,   sir,    I  did. 

Q.  Their  communication  with  each  other? 

A.  Yes. 

Q.  From  one  terrorist  to  another,   and  then 

potentially  from  there  to  yet  another  terrorist? 
A.  Yes,  sir. 

Q.  And  the  point  as  I  understood  it  —  now,  when 

there  was  a  discussion  of  net  neutrality,  did  the 
individual  giving  the  net  neutrality  talk  discuss 
terrorism? 

A.  No,    sir.     That  was  more  of  an  analytical 
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piece . 

Q .  Right .     And  what  you  were  trying  to  show  in 

your  analysis  was  essentially  a  cost  benefit,  right? 

A.  Trying  to  show  that  if  it  was  open,  that 

communication  could  still  exist,   yes,  sir. 

THE  COURT:     What  communication? 
THE  WITNESS :     Communication  between  the 
terrorists.     Generally  speaking,   that's  a  very  general 
term. 

BY  MR.  HURLEY: 

Q .  Right .     And  your  point  was  that  applying 

filters  to  the  Internet  to  make  it  less  unneutral,   to  use 
that  expression,   that  would,   you  weigh  what  you  get  from 
it  with  limiting  terrorist  communication  against  the 
costs  associated  with  making  it  less  neutral? 

A.  Not  necessarily  a  cost  in  my  mind.     They  did 

talk  about  costs .     It  was  more  along  the  lines  of  if  it 1 s 
so  restricted,   they'll  just  find  another  communication 
medium . 

Q.  And  in  your  report  you  did  mention  that  that, 

this  making  the  net  less  neutral  would  cost  money? 
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A.  Yes,  sir. 

Q.  And  you  indicated  also  in  your  report  that 

there  would  be  the  potential  for  it  impinging  on  the  free 
flow  of  speech? 

A.  Yes,  sir. 

Q.  In  your  report  what  you  didn't  say  is  that 

terrorists  used  the  Internet  to  gather  information;  is 
that  idea  reflected  in  your  report? 

A.  Not  specifically,   but  maybe  more  as  a 

(INAUDIBLE),   yes,  sir. 

Q.  And  you  didn't  say  that  they  used  the  Internet 

to  gather  information  from  open  source  reporting? 

A.  Not  specifically. 

Q.  And  you  didn't  say  that  they  used  the  Internet 

or  they  use  any  specific  website  for  this  open  source 
collection? 

A.  Correct. 

Q.  The  thrust  of  your  point  as  you  were  talking 

about  net  neutrality  was  terrorists  and  hiding  their 
communication  on  the  Internet? 

A.  Yes,    sir.     Well,  generally. 
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Q.  You  were  involved  in  military  intelligence 

while  you  were  on  active  duty  in  the  Marine  Corps? 
A.  Yes,  sir. 

Q .  And  how  long  were  you  at  intel  in  CO  when  you 

were  in  the  Marine  Corps? 

A .  Approximately  about  three  years . 

Q.  And  you're  familiar  with  the  term  intelligence 

gaps? 

A.  Yes,  sir. 

Q.  And  an  intelligence  gap  is  something  we  don't 

know? 

A.  More  or  less,   yes,  sir. 

MR.   HURLEY:     No  further  questions,  ma'am. 

THE  COURT:  Redirect? 

MR.   Von  ELTEN :     Nothing,  ma'am. 

THE  COURT :     All  right .     Temporary  or 
permanent  excusal? 

MR.   Von  ELTEN:  Temporary. 

THE  COURT:     All  right.     Staff  Sergeant 
Hosburgh,   you  are  temporarily  excused.     Please  don't 
discuss  your  testimony  or  knowledge  of  the  case  with 
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anyone  other  than  the  accused  or  the  lawyers  in  the  case 
while  the  trial  is  still  going  on. 

I  do  have  a  question  for  the  government.  I'm 
looking  at  government  exhibits  43  and  44,   they  appear  to 
be  the  same  thing,   one  is  redacted  and  one  is  not. 

MR.   FEIN:     Yes,  ma'am. 

THE  COURT :      I  have  a  motion  for  prosecution 
exhibit  43.      Is  that  the  intent? 

MR.   FEIN:     The  intent  was  to  use  it  as  a 
substitute,   yes,  ma'am. 

Ma'am,   read  a  stipulation  of  expected 
testimony  for  Lieutenant  Commander  Thomas  Hoskins,  United 
States  Navy  Reserve  dated  10  June  2013. 

THE  COURT:     What  exhibit  is  that? 

MR.   FEIN:     Yes,   ma'am.     Prosecution  exhibit 
111  Bravo,   the  unclassified  redacted  version. 

It  is  hereby  agreed  by  the  Accused,  Defense 
Counsel,   and  Trial  Counsel,   that  if  Lieutenant  Commander 
Thomas  Hoskins,   United  States  Navy  Reserve,   were  present 
to  testify  during  the  merits  and  pre-sentencing  phases  of 
this  court-martial,   he  would  testify  substantially  as 
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follows : 

One .      I  am  a  Lieutenant  Commander  in  the 
United  States  Navy  Reserves.     As  a  reservist,    I  am 
currently  assigned  to  United  States  Pacific  Fleet.  In 
1997,    I  obtained  a  BS  in  Marine  Transportation  and  a  BS 
in  Environmental  Science  from  the  Massachusetts  Maritime 
Academy.      In  2007,    I  obtained  a  Masters  of  Business 
Administration  from  the  Naval  Postgraduate  School . 

Two.      I  entered  active  duty  in  the  United 
States  Navy  in  1998  and  left  active  duty  in  2009. 
While  on  active  duty,    I  was  an  F-18  pilot.      I  joined 
the  United  States  Navy  Reserves  in  2009.      I  have 
logged  over  1700  hours  as  a  pilot,   to  include 
approximately  320  hours  of  combat  flight  time.  I 
have  completed  the  requisite  training,   to  include  six 
weeks  of  ground  school,   one  year  of  primary  training 
for  preliminary  flight  instruction,   one  year  of 
specialty  training  after  I  selected  intermediate 
training,   and  eight  months  of  advanced  training  in 
weapons,    formation  flying,   and  carrier  landing. 

After  completing  that  training,    I  was 
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selected  to  fly  F-18s  and  received  my  wings. 
Thereafter,    I  completed  one  year  of  F-18  training 
where  I  received  additional  training  in  weapons 
usage,   high  and  low  level  deployment  of  bombs,  and 
carrier  flying. 

As  a  pilot,    I  have  served  as  an  F-18 
division  combat  lead.     I  have  operated  weapons  while 
deployed  in  Afghanistan  and  conducted  reconnaissance 
while  deployed  in  Iraq.     I  have  deployed  three  times 
in  2001-02,   2003-04,   and  2008  in  support  of  Operation 
Enduring  Freedom  and  Operation  Iraqi  Freedom.      I  have 
also  served  as  a  flight  instructor  for  three  years . 

Three.     As  a  reservist,    I  currently  work 
on  planning,   which  involves  concept  plans,  operations 
plans,   and  execution  orders.     After  leaving  active 
duty  in  2009,    I  began  to  work  at  Booz  Allen  as  a 
contractor.     Today,    I  work  as  a  maritime  planner  for 
Booz  Allen.     Previously,    I  worked  for  Booz  Allen  on 
matters  related  to  United  States  Northern  Command 
USNORTHCOM  maritime  division.     Currently  at  Booz 
Allen,    I  work  on  USNORTHCOM  J6  security  cooperation. 
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In  my  work  for  the  J6,    I  work  on  security  cooperation 
between  the  United  States  and  Mexico.  Specifically, 
I  work  on  command  and  control  of  communications, 
computers,   and  information,  C4I. 

Four .     I  have  worked  with  classified 
information  in  my  career  with  Booz  Allen  and  as  an 
active  duty  and  reservist  pilot.     As  a  pilot,  I 
worked  with  classified  information  daily  for  flights, 
mission  planning,   mission  briefing,   and  certain 
information  about  the  planes.     Previously,   I  worked 
with  classified  information  in  my  work  at  Booz  Allen 
in  the  J5  pertaining  to  homeland  defense  plans,  and 
planning  and  development  of  specific  plans  for 
maritime  activities,   to  include  work  with  the  United 
States  Coast  Guard.     I  have  received  a  one  and  one 
half  hour  PowerPoint  training  on  classification 
procedures  and  spent  about  an  hour  quarterly  on 
training.     I  have  received  derivative  classification 
training.     I  have  also  used  classification  guides  in 
my  work;    I  have  used  the  USNORTHCOM  classification 
guide  to  determine  the  classification  status  of 
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Information.      I  did  not  consider  the  following  when 
making  any  determination:     One.     What,   if  any, 
Of  this  material  was  included  in  open  source 
reporting  and,   two,   what,    if  any,   of  this  material 
was  available  in  unclassified  publications,   such  as 
Army  Regulations  or  Field  Manuals . 

Five.      In  2011,    I  was  mobilized  to  United 
States  Central  Command,   USCENTCOM.      I  was  mobilized 
to  the  J5  planning  office,   Yemen  Branch.     While  in 
this  position,    I  worked  on  country-to-country  action 
plans  and  worked  with  the  United  States  Embassy  in 
Yemen  and  the  Yemeni  military  on  plans  and  security 
cooperation . 

Six.     While  mobilized  at  USCENTCOM,    I  was 
tasked  though  the  Task  Management  Tool  to  conduct  a 
review  for  classified  information.     The  J5  office 
plans  through  the  director,  who  receives  taskers . 
The  director  passed  the  tasker  to  me .     I  received  the 
submitted  documents  from  the  USCENTCOM  JAG  office. 
My  assignment  required  me  to  determine  whether  the 
submitted  documents  contained  classified  information 
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at  the  time  they  were  compromised. 

Seven.      In  my  capacity  as  the  person 
tasked  with  reviewing  the  submitted  documents,  I 
reviewed  the  documents  for  classified  USCENTCOM  JS 
equities.      I  reviewed  approximately  40  documents 
peliaining  to  United  States  v.   Private  First  Class 
Bradley  Manning,   which  the  prosecution  provided  to 
USCENTCOM.     The  documents  provided  by  prosecution, 
submitted  documents,   included,   among  others, 
documents  from  the  Combined  Information  Data  Network 
Exchange  Afghanistan,   CIDNE-A,   and  other  documents 
related  to  the  AR  I  5-6  investigation  of  the  Farah 
incident . 

Eight.     When  conducting  the  review,  I 
looked  at  USCENTCOM  classification  guides  and 
Executive  Order  13526  and  its  predecessors.  I 
reviewed  each  submitted  document  line  by  line  for 
classified  information  by  applying  the  USCENTCOM 
classification  guides .     I  annotated  the  basis  for 
each  classification  decision  in  my  sworn  declaration 
dated  21  October  2011,   Bates  numbers: 
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00527378-00527397.     Prosecution  Exhibit  87  for 
identification  is  this  declaration.     All  documents 
noted  in  the  declaration  contained  classification 
markings  and  were  properly  classified  at  least  at  the 
SECRET  level,   hereinafter  "reviewed  documents". 

Nine.     Based  on  my  military  experience,  I 
had  prior  familiarity  with  the  types  of  documents  and 
information  I  reviewed.     During  my  deployments,  I 
worked  with  similar  classified  information  pertaining 
to  mission  planning,   mission  details,  weapons 
systems,   and  maps  of  troop  locations. 

Ten.     The  reviewed  documents  consisted  of 
documents  collected  from  CIDNE-A  and  other  documents 
related  to  the  Farah  investigation.     The  reviewed 
documents  contained  military  information,   to  include 
military  plans,  weapons  systems,   or  operations; 
significant  activity  reports,    SigAct;  operational 
code  words  when  identified  with  mission  operations; 
SigActs  related  to  fact  of  and  general  type  of 
improvised  explosive  device   (IED)   attack  at  specific 
location  on  specific  date,  which  would  have  been 
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known  by  the  enemy  that  was  the  subject  of  that 
report;   participating  units,   and  details  of  movements 
of  US  friendly  forces;   concept  of  operations 
(CONOPS) ,   Operation  Orders    (OPORD) ,   or  Fragmentary 
Orders    (FRAGOs) ;   vulnerabilities  or  capabilities  of 
systems,   installations,   infrastructures,  projects, 
plans,   or  protection  services  relating  to  national 
security;   and  limitations  and  vulnerabilities  of  US 
forces  in  combat  area . 

CONOPs  are  properly  classified  as 
confidential  upon  execution  and  can  be  declassified 
one  year  after  completion.     Participating  units, 
including  types,   vulnerabilities,  locations, 
quantities,   readiness  status,  deployments, 
redeployments,   and  details  of  movement  of  U.S.  and 
friendly  forces  in  operations  can  be  properly 
declassified  upon  execution. 

Eleven.     I  reviewed  and  determined  that 
21  SigActs  from  CIDNE— A  contained  classified 
information  according  to  the  classification  guides 
and  my  knowledge  and  experience .     These  reviewed 
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SigAct  reports  from  CIDNE— A  were  all  marked  as 
Secret .     The  reviewed  SigActs  from  CIDNE -A  contained 
multiple  forms  of  military  information,   to  include 
information  related  to  deploying  quick  response 
forces  and  code  words,   reported  the  effectiveness  of 
IED  attacks,   which  would  be  known  to  the  enemy  that 
was  the  subject  of  that  report,   report  the  locations 
of  IED  attacks,   which  would  be  known  to  the  enemy 
that  was  the  subject  of  that  report,   identified  IED 
tactics,   techniques  and  procedures    (TIPs)  for 
responding  to  IED  attacks,   identified  TIPs  for 
identifying  and  neutralizing  IEDs,    friendly  action 
reports  of  finding  and  clearing  caches,  weapons 
systems  and  capabilities,   sources  and  methods  of 
Intelligence  engagement,    rules  of  engagement,  CONOPS, 
descriptions  of  United  States  forces,   TIPs  for 
mission  execution,   anticipated  enemy  reaction, 
flexible  deterrent  options,   code  words,   assistance  by 
local  foreign  nationals  in  locating  suspects,  and 
details  of  enemy  attacks . 

CONOPs  are  properly  classified  as 
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Confidential  upon  execution  and  can  be  declassified 
one  year  after  completion.     Participating  units, 
including  types,   vulnerabilities,  locations, 
quantities,   readiness  status,  deployments, 
redeployments,   and  details  of  movement  of  U.S.  and 
friendly  forces  in  operations  can  be  properly 
declassified  upon  execution.     The  21  CIDNE-A  reports 
that  contained  J5  equities  are  located  in  Appellate 
Exhibit  501  and  have  the  Bates  numbers 
00377846-00377846  and  00377888-00377910.  These 
CIDNE-A  reports  are  contained  within 
PE  89  for  identification. 

Twelve.     Additionally,    I  reviewed  the  AR 
15—6  investigation  into  a  military  operation  that 
occurred  in  Farah  province,   Afghanistan  on  or  about  4 
May  2009.     The  AR  15-6  investigation  into  the  Farah 
incident  was  focused  on  investigating  the 
circumstances  surrounding  a  large-scale  civilian 
casualties    (CIVCAS)    incident.     The  incident  occurred 
in  Gharani,   which  is  a  village  in  Farah  Province, 
Afghanistan.     As  noted  in  PE  90  for  identification,  I 
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found  that  13  of  the  Farah  investigation  documents 
contained  classified  information  I  believed  to  be 
sensitive  and  classified  because  the  documents  reveal 
TIPs,   troop  movements,   close  air  support,   troops  in 
combat    (TIC),   and  graphics  showing  troop  movements. 
The  Farah  investigation  documents  that  contained  J5 
Equities  are  located  in  AE  501  and  have  the  Bates 
numbers  00377425-00377480,    00377496,  00377627, 
00377672-00377674  00378029,    00378066,  00378071, 
00378079,   and  00378082.     These  documents  are 
contained  within  PE  90  for  ID. 

Thirteen.      I  reviewed  PE  66  for  ID,   a  CD 
contained  the  video  named  "BE22  PAX.wmv".  This 
video,   Gharani  video,    is  a  video  depicting  portions 
of  a  military  operation  in  Farah  Province, 
Afghanistan,   separately  from  the  review  I  conducted 
for  classified  USCENTCOM  J5  equities . 

Fourteen .     While  on  active  duty  from 
2007—09,    I  was  the  strike  operations  officer 
responsible  for  planning,   training,    coordinating  air 
wing  and  air-to-ground  operations,   which  involved 
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coordinating  with  the  Army  ground  liaison  for  mission 
coordination  of  ground  targets.      In  this  capacity  I 
reviewed  video  recordings  of  combat  missions .  The 
videos  captured  flight  operations  using  forward 
looking  infrared  radar   (FLIR) .      I  reviewed  the  videos 
to  ensure  the  mission  achieved  its  goal,   hit  the 
target,   or  reviewed  the  information  captured  in  a 
reconnaissance  capacity.     I  reviewed  hundreds  of 
these  videos  for  validation.     The  Gharani  video  is 
similar  to  the  hundreds  of  videos  I  reviewed  as  a 
strike  operations  officer. 

Fifteen.      I  reviewed  the  Gharani  video 
for  sensitive  military  information.      I  relied  on  my 
experience  while  conducting  my  review  for  sensitive 
and  classified  information  of  the  Gharani  video .  In 
particular,    I  relied  on  my  training  and  schooling, 
experience  as  a  flight  instructor,   experience  with 
operating  FUR  systems,   and  experience  reviewing 
videos  that  record  imagery  as  presented  in  the  FUR 
system. 

After  my  review  of  the  above  referenced 
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documents  for  USCENTCOM  J5  equities,    I  forwarded  my 
conclusions  and  recommendations  to  Deputy  Commander, 
USCENTCOM,   an  Original  Classification  Authority  for 
his  final  determination  as  to  whether  the  information 
is  properly  classified. 

Your  Honor,   the  United  States  moves  to 
admit  prosecution  exhibit  87  for  identification  as 
prosecution  exhibit  87. 

MR.   HURLEY:     No  objection. 

MR.   FEIN:     And  the  United  States  moves  to 
admit  prosecution  exhibit  66  for  identification  as 
prosecution  exhibit  66. 

MR.   HURLEY:     No  objection. 

THE  COURT:     All  right.     Both  exhibits  are 

admitted. 

May  I  see  prosecution  exhibit  66,  please? 
All  right.     Prosecution  exhibits  66  and  87 

are  admitted. 

MR.   FEIN:     Ma'am,   the  United  States  requests 
a  brief  comfort  break . 

THE  COURT:     All  right.     Any  objection? 
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MR.   HURLEY:     No,  ma'am. 

THE  COURT:     Court  is  in  recess  until  20 
minutes  to  eleven. 

(BRIEF  RECESS . ) 

THE  COURT:      Is  the  government  ready  to  call 
the  next  witness? 

MR.   Von  ELTEN :     Yes,   ma'am.     United  States 
recalls  Special  Agent  Mander. 

Agent  Mander,   let  me  remind  you  you're  still 

under  oath. 
Whereupon : 

MARK  MANDER, 

recalled  as  a  witness,   having  been  previously  duly 
sworn  according  to  law,   testified  as  follows : 

CONTINUED  DIRECT  EXAMINATION 
BY  MR.   Von  ELTEN: 

Q.  What  is  an  IIR? 

A.  An  IIR,   that's  an  acronym,   it  stands  for 

intelligence  information  report . 

Q.  Who  creates  an  I  I  R? 

A.  Various  military  intelligence-like 
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organizations  throughout  DOD  as  well  as  other  agencies 
that  deal  with  intelligence  typically  create  them. 

Q.  What  are  some  examples  of  some  of  those 

agencies? 

A.  Army  military  intelligence,   the  FBI  creates 

them,   NCIS,   Air  Force  Office  of  Special  Investigations. 
There ' s  others . 

Q.  What  types  of  information  do  they  contain? 

A.  They  contain  all  types  of  intelligence 

information  relating  to  counter  terrorism  information, 
things  involving  cyber  activities,   as  well  as  things 
about  foreign  militaries,   things  like  that. 

Q.  And  who  writes  them? 

A.  Typically  individuals  who  are  assigned  in 

military  intelligence-like  units  or  other  intelligence 
type  units  that  are  designated  to  produce  those  types  of 
reports . 

Q.  What  is  the  basis  of  the  content  in  an  IIR? 

A.  The  basis  of  the  contents  can  be  from  sources, 

people  that  provide  information,    it  can  be  from  other 
military  or  intelligence  organizations  actually  observe 
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activities  for  themselves  and  they  want  to  report  it  and 
that ' s  essentially  the  mechanism  the  intelligence 
community  uses  to  share  that  information  to  other 
elements . 

Q.  How  are  they  used  broadly? 

A.  Well,   there's  a  system,   and  I'm  not  super 

familiar  with  it  because  I  do  criminal  investigation,  but 
generally  speaking,   someone  will  produce  a  report  that 
contains  information  or  intelligence  in  it .  Other 
elements  will  then  see  that  report  and  they  can  then 
generate  questions  or  follow-up  questions,   which  then  in 
turn  produce  more  reports . 

Q.  And  how  are  they  organized? 

A.  Can  you  be  more  specific? 

Q.  Is  it  like  a  fact  summary,   an  analysis 

section,   does  it  vary? 

A.  It  probably  varies.     It  depends  on  the  nature 

of  the  information.     Sometimes  they're  very  short,  maybe 
like  just  one  or  two  pages,   sometimes  they're  very  long, 
multiple  pages  and  they  are  kind  of  organized  in,  they 
usually  have  across  the  top  like  a  classification,  shows 
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the  section  of  the  distribution  of  who  gives  the  report. 

MR.   TOOMAN:     Your  Honor,   we'll  object  based 
on  the  record.     The  witness  has  said  he's  not  super 
familiar  with  this  process  to  use  his  words,   so  we  would 
object  on  personal  knowledge. 

A.  I  have  seen  many  intelligence  reports,   but  I 

don't  know  all  about  the  process  of  how  they're  created. 

THE  COURT :  All  right .  Then  stop  asking 
about  the  process  of  how  they're  created.  Sustained. 
BY  MR.   Von  ELDEN : 

Q.  Where  do  you  find  IIRs? 

A.  There's  two  systems  that  I  would  use  to  look 

up  IIRs.     I  believe  I  can  name  the  two  systems  here.  One 
of  them  is  called  Hot  R,   H  O  T  R,   and  I  don't  know  what 
that  acronym  stands  for  or  if  it  stands  for  anything,  and 
then  there ' s  another  system  called  the  Multi  Media 
Manager,   or  they  typically  call  it  M3 .     I  know  that 
there ' s  others . 

Q.  What  are  some  of  the  others? 

A.  I  don't  know  the  others,    I  just  know  that 

there  are  others  and  that  certain  systems  are  based  on 
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like  the  organizations  that  produce  the  reports.     So,  for 
example,   the  DOD  reports,   most  of  them  are  in  Hot  R,  but 
if  you  want  to  see  a  report  that  was  published  by  another 
organization  such  as  like  the  FBI,   you  would  use  M3 . 

Q.  What  search  engine  do  you  use  to  search  for 

IIRs? 

A.  Intelink  is  one  of  the  systems  you  can  use  to 

search. 

Q.  Do  you  use  Intelink  to  search  for  IIRs? 

A.  Occasionally.     Typically  you  can  also  log  into 

one  of  the  systems  I  mentioned  and  then  search  for  the 
IIRs  that  way  as  well. 

Q.  How  are  the  results  displayed  in  Intelink? 

A.  They're  typically  displayed  kind  of  similar  to 

what  Google  looks  like,   somewhat  similar. 

Q.  And  when  have  you  used  IIRs? 

A.  Well,   specifically  in  this  case  we  did  look 

for  IIRs  that  related  to  WikiLeaks,   that  keyword. 

Q.  Retrieving  prosecution  exhibit  99  for 

identification.     Hand  this  to  the  witness. 

THE  COURT :     Just  a  minute .     Yes . 
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BY  MR.   Von  ELTEN : 

Q.  What  have  I  handed  you,   Agent  Mander? 

A.  This  appears  to  be,   excuse  me,  declassified 

version  of  an  IIR  specifically  related  to  the  WikiLeaks 
organization . 

Q.  And  what  is  it  numbered? 

A.  The  number  is  IIR  5391001408. 

Q.  And  what  is  the  numbering  convention  based  on 

your  experience? 

A.  The  numbers  are  broken  by  spaces.     The  first 

number,   five,    I  believe  that  indicates  the  general 
organization  such  as  Army,   Navy,   Air  Force.     The  second 
number  is  a  three  digit  number,   391,   would  be  the 
specific  organization  within  that  service.     The  fourth 
set  or,   excuse  me,   third  set  of  numbers,   it's  a  four 
digit  number,   0014,  would  be  the  serial  number  of  the 
report.     And  then  the  last  two  numbers,    08,   would  be  the 
year,   the  two  digit  year  of  the  report. 

Q .  Would  you  please  take  a  moment  to  review  the 

report? 

A .  Okay . 
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Q.  What's  an  overview  of  the  content? 

A.  Generally  speaking,   the  content  of  this  IIR, 

it  more  or  less  spells  out  that  the  WikiLeaks 
organization  was  established  in  December  2006.      Its  point 
was  to  encourage  the  posting  of  sensitive  government  and 
corporate  documents.     Describes  the  organization  as  a 
uncensorable  Wikipedia  for  untraceable  mass  document 
leaking  and  analysis.     And  it  also  goes  through,  gives 
more  details  as  well  as  mentions  a  large  number  of  what 
we  call  mirror  sites  and  it  gives  a  long  list  of  it . 

MR.   TOOMAN:     We'll  object  based  on  relevance, 

Your  Honor. 

MR.   Von  ELTEN :     Your  Honor,    I'm  just  having 
him  lay  foundation  for  the  relevance  of  the  document . 

THE  COURT:     What's  the  relevance? 

MR.   Von  ELTEN:      I'm  going  to  do  that  right 

now. 

THE  COURT:      I  want  you  to  tell  me. 

MR.   Von  ELTEN:     Sorry,   ma'am.     The  relevance 
is  this  document,   it  was  a  document  searched  for  by  PFC 
Manning  on  Intelink. 
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THE  COURT:  Overruled. 

MR.   Von  ELTEN:     Retrieving  prosecution 
exhibit  99  for  identification  from  the  witness  and 
handing  the  witness  prosecution  exhibit  85. 

THE  COURT:     That's  now  for  identification, 

right  ? 

MR.   Von  ELTEN:     Yes,  ma'am. 
THE  COURT:     Just  a  minute. 

MR.   Von  ELTEN:      I  hand  you  what  is  marked  as 
prosecution  exhibit  85. 

THE  COURT:     For  identification? 

MR .   Von  ELTEN :     No ,   ma  '  am . 

THE  COURT:      It's  admitted? 
BY  MR.   Von  ELTEN: 

Q.  Please  review  line  19. 

THE  COURT :     Stop  there  for  just  a  moment .  I 
want  to  check  with  the  court  reporter  for  the 
admissibility,  prosecution  exhibit  85  admitted? 

Go  ahead . 

Q.  Where  was  the  search  conducted? 

MR.   TOOMAN:     Your  Honor,   the  defense  is  going 
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to  object .     I  believe  that  this  exhibit  is  computer  logs 
This  isn ' t  a  computer  expert .     The  government  has  not 
admitted  foundation  that  this  witness  can  interpret  raw 
data . 

THE  COURT:     Lay  a  foundation. 
BY  MR.   Von  ELTEN : 

Q.  Agent  Mander,   what  is  your  position? 

A.  I'm  a  special  agent  with  the  Army  CID, 

specifically  the  computer  crime  investigative  unit. 

Q.  And  what  type  of  computer  crimes  do  you 

investigate? 

A.  Generally  speaking,   we  investigate  network 

intrusion  type  incidents . 

Q.  Do  you  review  computer  logs  as  part  of  that 

work? 

A.  Yes,   we  do. 

Q.  And  what  is  a  log? 

A.  A  log  file  is  basically  a  list  of  activity 

that  is  recorded  typically  by  a  computer  or  other  types 
of  systems  that  show  what  activities  occurred. 

Q.  And  what  kind  of  activities  are  recorded? 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 


68 


A.  Typically  the  accesses  to  a  computer  system  or 

perhaps  maybe  traffic  that  transits  Internet  device  such 
as  a  router  or  switch,   stuff  like  that. 

Q.  And  how  often  do  you  review  computer  logs? 

A.  I  used  to  review  them  all  the  time.     Now  not 

so  much,   but  I  still  see  them  fairly  frequently. 

Q.  And  how  familiar  are  you  with  computer  logs? 

A.  Fairly  familiar. 

THE  COURT:  Overruled. 

MR.  TOOMAN:  Your  Honor,  the  defense  would 
request  the  opportunity  to  voir  dire  this  witness  about 
his  knowledge  of  how  computer  logs  are  created. 

THE  COURT:     All  right.      I'll  let  you  go  ahead 
and  do  it .     Are  you  finished  laying  the  foundation  or  do 
you  have  more  foundation  questions? 

MR.   Von  ELTEN :     Just  a  little  more,  ma'am. 

THE  COURT:     Go  ahead. 
BY  MR.   Von  ELTEN: 

Q.  What  was  the  source  identified  in  line  19? 

THE  COURT :     Wait  a  minute .     Now  he ' s 
interpreting  the  logs .     Do  you  have  foundation  to  lay 
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with  respect  to  — 
BY  MR.   Von  ELTEN : 

Q.  What  is  the  search  reflected  in  the  log? 

MR.   FEIN:     Ma'am,   may  I  have  a  moment? 

THE  COURT:  Yes. 

(DISCUSSION  OFF  THE  RECORD.) 

MR.   Von  ELTEN:      I'm  done  laying  a  foundation. 
THE  COURT:     Go  ahead  with  the  voir  dire 
respecting  foundation . 

VOIR  DIRE  EXAMINATION 

BY  MR.  TOOMAN: 

Q.  Good  morning,   Agent  Mander. 

A.  Good  morning. 

Q.  Agent  Mander,   what  experience  do  you  have  with 

Intelink? 

A.  As  a  user,    I've  used  Intelink  to  conduct 

various  searches . 

Q.  Do  you  know  how  Intelink  was  programmed?  Do 

you  know  how  it  operates? 

A.  Can  you  be  a  little  more  specific? 

Q.  Do  you  know  how  Intelink  goes  about  creating 
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those  logs? 

A.  I  do  not  know  the  specifics  about  that. 

Q.  Do  you  know  where  Intelink  stores  its  data? 

A.  I  believe  in  the  local  area  here  in  Maryland. 

Q.  Okay.     Do  you  have  I  guess  —  what  sort  of 

courses  have  you  taken  on  computer  forensics? 

A.  I've  taken  at  least  three  courses,   one  offered 

by  Guidant  Software  specific  to  the  program  that  we  use, 
it's  called  EnCase,   also  taken  two  courses  at  the  Defense 
Cyber  Investigations  Training  Academy  involving  some  of 
those  same  applications  as  well  as  other  applications . 

Q .  And  —  I ' m  sorry . 

A.  I've  also  taken  a  large  data  set  acquisition 

course  that  involves  the  acquisition  of  large  amounts  of 
data . 

Q.  Could  you  be  I  guess  maybe  offer  a  little  more 

insight  into  what  you  learned  in  the  data  set  acquisition 
course? 

A.  Generally  speaking,   when  we  conduct 

investigations  there  are  times  where  we  will  need  to  get 
information  from  say  a  server.     Generally  a  server  is  a 
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type  of  computer  that  will  have  large  amounts  of 
information  on  it  such  as  log  files  as  well  as  storage . 
And  basically  the  course  taught  the  students  how  to 
obtain  that  information  and  a  little  bit  about  how  to 
interpret  it . 

Q.  How  long  was  the  data  set  acquisition  course? 

A.  I'd  have  to  go  back  and  look  at  my  resume.  I 

believe  it  was  40  hours. 

Q.  And  how  much  of  it  was  focused  on  obtaining 

data  from  a  large  data  set? 

A.  I  would  have  to  go  back  and  look  at  the 

course,  what  do  they  call  that,  the,  with,  you  know,  lays 
out,  it's  a  document  that  usually  lays  out  how  many  hours 
are  spent  on  which  thing?     I  don ' t  remember . 

Q.  Syllabus? 

A.  Yeah,   syllabus.     There  you  go. 

Q.  Do  you  recall  if  the  bulk  of  that  course  was 

on  how  to  actually  obtain  the  data? 

A.  Again,   I  would  have  to  go  back  and  review  the 

syllabus . 

Q.  When  did  you  take  that  course? 
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A.  I  believe  that,  was  taken  within  the  last  two 

years . 

Q.  You  talked  a  little  bit  at  that  course  you 

learned  about  how  to  interpret  data .     Did  you  learn  how 
to  interpret  Intelink  logs? 

A.  Specifically  Intelink  logs  were  not  mentioned 

in  the  course . 

Q.  At  that  course  you  learned  how  to  interpret 

logs.     Are  all  logs  created  equally,   that  is,   do  logs  for 
Intelink  look  the  same  as  logs  for  Google  or  logs  for 
ESPN  dot  com? 

A.  No.     Most  logs  will  have  some  uniqueness  to 

them,   either  the  formats  or  the  type  of  data  that ' s 
contained  in  the  logs .     That  will  be  dependent  upon  where 
you're  obtaining  the  logs  from. 

MR.   TOOMAN:     Your  Honor,   we  have  no  further 
questions,   but  we  would  renew  our  objection  as  to  this 
witness ' s  knowledge  of  Intelink  logs  and  their 
interpretation . 

THE  COURT:     All  right.     Thank  you.  It's 
overruled.  Proceed. 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 


73 


CONTINUED  DIRECT  EXAMINATION 
BY  MR.   Von  ELTEN: 

Q.  Agent  Mander,   what  document  is  reflected  in 

line  19? 

A.  In  line  19  there's  an  IP  address  followed  by  a 

date  and  time  and  then  followed  by  what  appears  to  be  the 
actual  raw  data  of  what  looks  like  it ' s  a  search  on 
Intelink . 

Q.  What  is  the  first  IP  address? 

A.  In  line  19  the  IP  address  is  22.225.41.40. 

Q.  And  what  was  the  search  for? 

A.  The  search  appears  to  be  for  an  IIR  and  it 

looks  like  the  IIR  is  the  same  IIR  that  you  previously 
showed  me . 

MR.   Von  ELTEN:     Your  Honor,   the  United  States 
moves  to  admit  prosecution  exhibit  99  for  identification 
into  evidence . 

MR.   TOOMAN:     No  objection. 

THE  COURT:     Prosecution  exhibit  99  for 
identification  is  admitted  into  evidence . 

May  I  see  it,  please? 
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MR.   Von  ELTEN:     Retrieving  prosecution 
exhibit  85  from  the  witness. 

THE  COURT:     Before  you  do  that,   what  was  the 
date  and  time  on  line  19. 

THE  WITNESS:     The  date  here  is,    it  looks  like 
it's  14  February  2010,   and  the  time  is  2334  hours,   and  it 
appears  to  be  Greenwich  Mean  Time  or  Zulu  time . 

THE  COURT:     Thank  you. 
BY  MR.   Von  ELTEN: 

Q.  Handing  the  witness  prosecution  exhibit  99. 

Permission  to  publish. 

THE  COURT:     Go  ahead. 
Q.  Agent  Mander,   can  you  please  read  paragraphs 

three  and  four? 

A.  Paragraph  three.      It's  unclassified  for 

official  use  only  paragraph.      It  read  WikiLeaks 
submission  guides  states  it,   quote,   accepts  classified 
censored  or  otherwise  restricted  material  of  political, 
diplomatic  or  ethical  significance,   unquote.     The  website 
provides  suggestions  for  the  anonymous  submission  of 
material  and  several  methods  of  submitting  material  for 
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inclusion  to  an  online  database .     Methods  include 
submission  via  secure  upload,   email  and  via  discrete 
postal  network. 

Paragraph  four  is  an  unclassified  for 
official  use  only  marked  paragraph.     Since  December  '06 
numerous  classified  and  FOUO  documents  have  been  posted 
and  continue  to  be  available  on  WikiLeaks  dot  org  site 
and  its  mirrors .     Some  of  these  postings  have  garnered 
the  attention  of  major  news  media  outlets,  yet 
intelligence  reporting  has  largely  ignored  these  leaks . 
This  report  is  being  issued  in  an  attempt  to  raise  the 
awareness  of  this  threat .     Some  of  the  documents 
discovered  on  the  WikiLeaks  website  are  listed  below, 
colon . 

Q.  Agent  Mander,   what  is  a  mirror? 

A.  As  we  discussed  yesterday,   a  mirror  is  like  an 

alternate  version  of  a  website  that  generally  reflects 
the  content  of  the  original  site. 

Q.  And  what  is  the  purpose  of  a  mirror? 

A.  Well,   there's  many  purposes.     Sometimes  use 

that  for  redundancy  in  case  the  primary  website  goes 
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down,   you'll  have  an  alternate  that  users  can  — 
THE  COURT:  Yes. 

MR.   TOOMAN:     We'll  renew  our  objection  from 
yesterday  that  this  witness  doesn't  have  personal 
knowledge  of  why  a  website  would  use  a  mirror. 

THE  COURT:  Overruled. 

THE  WITNESS:     So  redundancy,   or  generally 
redundancy  I  guess  would  probably  be  the  best  way  to  say 
it. 

MR.   Von  ELTEN :     Thank  you.     No  further 

questions . 

THE  COURT:     Cross  examination. 
MR.   TOOMAN:     Yes,  ma'am. 
CROSS  EXAMINATION 

BY  MR.  TOOMAN: 

Q.  Agent  Mander,   you  talked  about  the  Intelink 

logs  and  you  looked  at  those.     From  the  Intelink  logs  you 
can't  tell  if  prosecution  exhibit  99  was  printed, 
correct? 

A.  That  would  be  correct. 

Q.  You  also  can't  tell  if  it  was  saved,   a  copy 
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was  saved  by  the  user? 

A.  That  would  also  be  correct. 

Q.  You  really  can't  tell  if  the  user  of  that 

particular  machine  even  looked  at  the  document,  correct? 

A.  That's  also  correct. 

Q.  You  talked  a  little  bit  about  the  contents  of 

that  document .     I  guess  the  document  talked  about 
WikiLeaks  accepting  political,   diplomatic  and  ethical 
contributions,  correct? 

A.  Yes. 

Q.  It  didn't  talk  about  accepting  contributions 

that  would  help  a  military,  correct? 

A.  Can  I  see  the  document  again? 

Q.  I'm  going  to  retrieve  prosecution  exhibit  99 

and  hand  that  to  the  witness . 

A.  Can  you  repeat  your  question? 

Q.  I'm  going  to  go  ahead  and  retrieve  the  exhibit 

from  the  witness. 

A.  Is  it  possible  that  I  can  keep  this  while  you 

ask  your  question? 

Q .  Sure . 
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You  were  referred  to  paragraphs  two  and  three 
by  the  prosecution  and  they  talked  about  WikiLeaks 
accepting  political,   they  wanted  things  that  would  be  of 
political  significance,  correct? 
A.  Correct. 

Q.  They  be  wanted  things  that  would  be  of 

diplomatic  significance? 
A.  Yes. 

Q.  And  they  wanted  things  that  would  be  of 

ethical  significance,  correct? 

A.  According  to  that  paragraph. 

Q.  And  nothing  in  that  paragraph  suggests  that 

WikiLeaks  was  wanting  contributions  that  would  be  of 
military  significance,  correct? 

A.  It  doesn't  mention  military,   but  it  does 

mention  governments  and  corporations  of  various 
countries . 

Q.  Okay.     Governments  and  corporations? 

A.  I  guess  you  could  infer  military  is  part  of 

the  government . 

Q.  Okay.     Now,   that  document  talks  about  a  number 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 


79 


of  classified  materials  that  were  released  by  WikiLeaks, 
correct?     You  talked  about  that  with  the  prosecution. 
A.  It  does,  yes. 

Q .  And  there  1 s  nothing  in  that  document  that  says 

that  the  enemy  viewed  those  releases,   is  there? 
A.  If  you  give  me  a  moment  here. 

Q .  Sure . 

A.  No,   it  doesn't  specifically  mention  any 

enemies  having  access  to  the  documents . 

MR.   TOOMAN:     Okay.      I'm  going  to  go  ahead  and 
retrieve  the  exhibit  from  you,   Agent  Mander.     Thank  you. 
And  give  that  back  to  the  court  reporter .     And  no  further 
questions,  ma'am. 

THE  COURT:  Redirect. 

MR.   Von  ELTEN :     Nothing,   Your  Honor. 

THE  COURT:     All  right.     Temporary  excusal? 

MR.   Von  ELTEN:     Yes,  ma'am. 

THE  COURT:     Once  again,   Agent  Mander,  you're 
temporarily  excused.     Same  rules  apply  as  before.  Please 
don't  discuss  your  testimony  or  knowledge  of  the  case 
with  anyone  other  than  counsel  or  the  accused. 
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MR.   FEIN:     Ma'am,   the  United  States  offers  to 
read  a  stipulation. 

Ma'am,   this  is  prosecution  exhibit  112, 
stipulation  of  expected  testimony  for  Lieutenant  Colonel, 
Retired,   Martin  Nehring  dated  10  June  2013. 

It  is  hereby  agreed  by  the  Accused,  Defense 
Counsel,   and  Trial  Counsel,   that  if  Lieutenant  Colonel, 
Retired,   Martin  Nehring  were  present  to  testify  during 
the  merits  and  pre-sentencing  phases  of  this 
court-martial,   he  would  testify  substantially  as  follows: 

One .     I  am  a  retired  lieutenant  colonel  in 
the  United  States  Air  Force .      I  have  a  BS  in  Petroleum 
Engineering  from  New  Mexico  Institute  of  Mining  and 
Technology  in  1982.     I  received  a  Masters  of  Public 
Administration  from  Troy  University  in  1995.      I  began 
serving  on  active  duty  in  the  United  States  Air  Force 
in  1985  as  a  second  lieutenant.     During  my  career,  I 
spent  12  years  on  active  duty  and  16  years  in  the 
California  Air  National  Guard.      I  retired  in  2012. 

I  deployed  to  Kuwait  in  2001  with  the 
Third  Army.      I  also  deployed  to  Kosovo  in  2002  for 
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weather  operations.     In  2006,    I  deployed  to 
Afghanistan  and  ran  all  weather  operations  in 
Afghanistan.     Throughout  my  career  in  the  Air  Force 
as  a  trained  meteorologist,   I  possessed  a  Top  Secret 
clearance  and  handled  Top  Secret  information .  I 
handled  classified  information  at  the  beginning  of  my 
service  in  1985  and  had  training  in  how  to  handle  and 
identify  classified  information.      I  worked  with 
classified  information  at  all  times  during  my 
military  career . 

Two.     From  2009  to  February  2012,  I 
worked  at  United  States  Central  Command,  USCENTCOM. 
I  worked  in  a  Sensitive  Compartmented  Information 
Facility,    SCIF,   at  USCENTCOM.      Initially,    I  worked  at 
the  weather  desk.     After  USCENTCOM  discontinued  the 
weather  desk,    I  was  reassigned  under  the  USCENTCOM 
Directorate  of  Operations  J3  as  the  J3  subject  matter 
expert,   SME,    for  identifying  J3  classified  equities 
within  United  States  Government  official 
documentation.      In  this  capacity,    I  was  primarily 
responsible  for  reviewing  documents  being  processed 
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under  the  Freedom  of  Information  Act,   FOIA,  which 
belonged  to  or  contained  information  from  USCENTCOM 
J3.   For  FOIA  requests,    I  reviewed  the  requested 
information  for  classified  information  to  determine 
whether  the  document  could  be  released  under  the 
FOIA.     Additionally,    I  conducted  review  for  release 
of  information  to  family  members  of  service  members 
who  were  killed,   wounded,   or  kidnapped  within  the 
USCENTCOM  theaters  of  operations  and  the  media.  I 
also  conducted  separate  reviews  for  coalition 
partners  because  the  standards  were  different  for 
each.     Family  members  and  the  media  could  only 
receive  unclassified  information.     Coalition  partners 
could  receive  certain  classified  information. 
Classified  information  in  a  document  could  not  be 
released  under  the  FOIA  even  if  the  remainder  of  the 
document  contained  publicly  available  information 
because  the  information  is  still  protected. 

Three.      In  my  capacity  as  the  J3  SME,  I 
reviewed  documents  pertaining  to  United  States  v. 
Private  First  Class  Bradley  Manning,   which  the 
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prosecution  provided  to  USCENTCOM.     The  documents 
provided  by  the  prosecution,   submitted  documents, 
included,   among  others,   documents  from  the  Combined 
Information  Data  Network  Exchange  Iraq,   CIDNE-I,  the 
Combined  Information  Data  Network  Exchange 
Afghanistan,   CIDNE-A,   other  documents  related  to  the 
AR  15-6  investigation  of  the  Farah  incident,   and  a 
file  named  "BE22  PAX. zip"  containing  a  video  named 
"BE22  PAX.wmv"  Gharani  video. 

Four.     I  was  tasked  though  the  J3  Task 
Management  Tool .     I  received  the  submitted  documents 
from  the  USCENTCOM  JAG  office.     My  assignment 
required  me  to  determine  whether  the  submitted 
documents  contained  classified  information  at  the 
time  they  were  compromised.     I  reviewed  the  documents 
for  classified  USCENTCOM  J3  equities . 

Five .     To  determine  whether  submitted 
documents  were  classified  at  the  time  of  compromise, 
I  used  three  classification  guides.     I  used  a 
USCENTCOM  classification  guide  dated  before  Operation 
Iraqi  Freedom,   the  updated  version  of  that  USCENTCOM 
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classification  guide  dated  during  Operation  Iraqi 
Freedom,   and  the  version  of  the  USCENTCOM 
classification  guide  that  was  current  at  the  time  I 
conducted  the  classification  review. 

I  did  not  consider  the  following  in 
making  any  determination:     One,   what,   if  any,   of  this 
material  was  included  in  open  source  reporting;  two, 
what,   if  any,   of  this  material  was  available  in 
unclassified  publications,   such  as  Army  Regulations 
or  Field  Manuals;   and,   three,   what,    if  any,   of  this 
material  may  have  been  shared  at  the  tactical  level 
during  the  key  leader  engagements  described  below. 

Six.     I  applied  a  process-oriented 
approach  toward  applying  the  classification  guide  to 
each  of  the  submitted  documents.     First,    I  would 
determine  the  date  of  the  document  and  use  the 
classification  guide  appropriate  for  each  document 1 s 
date .     I  would  determine  the  document ' s 
classification  at  the  time  the  document  was  created. 
Documents  I  determined  that  were  unclassified  were 
removed  from  the  collection  of  submitted  documents . 
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In  fact,    I  approached  the  documents  with  a  "FOIA 
mindset"  and  tried  to  ensure  each  document  was  not 
actually  classified.     I  did  not  presume  any  document 
was  classified  and  reviewed  each  line  in  each 
document  for  classified  information. 

Seven.     Second,    I  reviewed  the  document 
to  determine  if  it  was  classified  at  the  time  of  it 
was  compromised  according  to  the  appropriate  security 
classification  guides .     I  reviewed  documents  for 
USCENTCOM  J3  equities .     Documents  containing 
intelligence  were  sent  to  Mr.   Louis  Travieso  for 
further  review  for  USCENTCOM  J2  equities .  I 
conducted  a  line  by  line  review  and  reviewed  each 
document  for  USCENTCOM  J3  equities  by  applying 
specific  paragraphs  of  the  classification  guides  from 
the  appropriate  time  period.     Where  the  reviewed 
document  contained  USCENTCOM  J3  equities  as 
determined  by  the  appropriate  USCENTCOM 
classification  guide,    I  marked  the  document  as 
containing  information  I  believed  to  be  sensitive  and 
classified.     I  annotated  the  basis  for  each 
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classification  decision  in  my  sworn  declaration  dated 
19  October  2011,   which  is  Bates  numbers 
00527370-00527377.     Prosecution  Exhibit  86  for 
identification  is  my  declaration .     All  documents 
noted  in  the  declaration  contained  classification 
markings  at  the  Secret  level,   hereinafter  "J3 
reviewed  documents" . 

Eight .     The  J3  reviewed  documents 
consisted  of  documents  collected  from  CIDNE— I, 
CIDNE-A,   other  documents  related  to  the  Farah 
investigation,   and  the  Gharani  video.     The  reviewed 
documents  contained  military  information,   to  include 
military  plans,  weapons  systems,   or  operations; 
foreign  government  information;    significant  activity 
reports   (SigActs) ;   operational  code  words  when 
identified  with  mission  operations;    SigActs  related 
to  fact  of  and  general  type  of  I ED  attack  at  specific 
location  on  specific  date;  participating  units, 
including  types  of  vulnerabilities,  locations, 
quantities,   readiness  status,  deployments, 
redeployments,   and  details  of  movements  of  US 
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friendly  forces;    concept  of  operations    (CONOPS) , 
operation  orders    (OPORD) ,   or  fragmentary  orders 
(FRAGOs) ;   vulnerabilities  or  capabilities  of  systems, 
installations,   infrastructures,   projects,   plans,  or 
protection  services  relating  to  national  security; 
and  limitations  and  vulnerabilities  of  US  forces  in 
combat  area . 

Nine .     CIDNE-I  and  CIDNE-A  contained 
SigAct  reports.     The  SigActs  were  marked  as  Secret. 
Within  the  SigActs,   several  categories  appeared 
multiple  times .     These  categories  include  key  leader 
engagements,   mission  report  logs,   reports  on 
improvised  explosive  devices,    IEDs,   and  tactics, 
techniques,   and  procedures    (TIPs)    in  response  to 
IEDs,   and  reports  and  responses  for  missions  focused 
on  duty  status-whereabouts  unknown   (DUSTWUN) . 

Ten.     Key  leader  engagements  described 
interactions  of  members  of  the  military  with  local 
leaders  in  Iraq  and  Afghanistan  regarding  a  broad 
range  of  topics.     Disclosure  of  the  key  leader 
engagements  would  reveal  foreign  government 
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activities,   the  involvement  of  service  members  with 
local  foreign  leaders,   and  the  identities  of  local 
leaders . 

Eleven.     Mission  report  logs  described 
troop  movements,   activities,   and  engagements  with 
hostile  forces.     The  mission  report  logs  describe 
tactics,   troop  locations,   weapons  and  military 
equipment  used . 

Twelve.      IED  reports  detailed  the 
casualties  inflicted  on  service  members,  the 
locations  of  the  attacks,   and  TIPs  for  detecting  and 
responding  to  IED  attacks .     The  IED  reports  recount 
the  attacks  of  hostile  forces,   troop  locations,  and 
the  capabilities  of  United  States  forces . 

Thirteen.     DUSTWUN  reports  stated  the 
names  and  other  personal  information  of  kidnapped 
service  members  and  the  TIPs  in  response  to  locate 
the  kidnapped  service  member.     The  DUSTWUN  reports 
state  troop  locations,   tactics,   encounters  by 
military  forces  with  hostile  forces  and  foreign 
nationals . 
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Fourteen.     The  53  CIDNE-I  reports  that 
contained  J3  equities  are  located  in  Appellate 
Exhibit  501  and  that  have  the  Bates  numbers 
00377912-00377918,    00377921-0377933,  00377935- 
00337938, 00377940-00377949, 00377952-00377958, 
00377960-00377963,00377965-00377980, 
00377983-00377986,    00377988-00378013,  and 
00378016-00378026.     These  CIDNE-I  reports  are 
contained  within  PE  88  for  ID.     The  36  CIDNE-A 
reports  that  contained  J3  equities  are  located  in  AE 
501  and  that  have  the  Bates  numbers 
00377846-00377846,  00377849-00377856, 
00377860-00377871,  00377874-0037788, 
00377886-00377905,   and  00377907-00377910.  These 
CIDNE-A  reports  are  contained  within  PE  89  for  ID. 

Fifteen.     The  J3  reviewed  documents 
contain  SigAct  reports  from  CIDNE-I  that  I  determined 
contained  classified  information  according  to  the 
applicable  security  classification  guides.  These 
SigAct  reports  from  CIDNE-I  were  all  marked  Secret. 
Additionally,   the  J3  reviewed  documents  contain 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 


SigAct  reports  from  CIDNE— A  that  I  determined 
contained  classified  information  according  to  the 
applicable  security  classification  guides .  These 
SigAct  reports  from  CIDNE-I  and  CIDNE— A  were  all 
marked  Secret .     The  J3  reviewed  documents  within 
PE  88  for  ID  and  PE  89  for  ID  contain  multiple  forms 
of  military  information,   to  include  but  not 
Limited  to  the  following:     One,   threat  of  attack  in 
an  area  by  a  specific  group;   two,   confirmed  that  a 
previously  reliable  source  of  intelligence  provided 
information;   three  involved  direct  and  indirect  fire 
reports;   four,   reported  casualties;   five  reported 
loss  of  equipment;   six,   stated  types  of  weapons 
encountered  in  an  enemy  engagement;   seven,  reported 
the  effectiveness  of  IED  attacks;   eight,   reported  the 
locations  of  IED  attacks;   nine,    identified  JED  TIPs 
for  responding  to  JED  attacks;   ten,    identified  TIPs 
for  identifying  and  neutralizing  JEDs;  eleven, 
identified  by  name  suspects  in  investigations; 
twelve,   identified  quick  response  force  mobilization 
TIPs;   thirteen,   identified  code  words;  fourteen, 
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involved  friendly  action  reports;   fifteen,  stated 
details  of  military  missions;    sixteen,   named  multiple 
enemy  groups;   seventeen,   reported  lack  of  casualties; 
eighteen,   reported  lack  of  loss  of  equipment; 
Nineteen,   identified  general  enemy  TIPs;  twenty, 
involved  an  enemy  small  arms  fire  report;  twenty-one, 
identified  enemy  target  by  name;   twenty- two,  stated 
effectiveness  of  enemy  actions;  twenty-three, 
described  a  military  raid;   twenty— four,  identified 
sources  and  methods  of  intelligence  collection; 
twenty-five,   identified  responses  based  on 
intelligence  gathered;   twenty-six,   detailed  arrest  of 
a  suspect;   twenty-seven,   stated  detention  of  a 
suspect  would  have  a  significant  impact  on  military 
operations;   twenty-eight,   described  friendly  action 
of  finding  and  clearing  caches;   twenty-nine,  involved 
a  border  operations  report;   thirty,   described  a  civil 
disturbance;   thirty-one,   identified  unit  locations; 
thirty-two,   reported  enemy  casualties;  thirty-three, 
stated  planned  unit  movement;   thirty-four,  stated 
details  of  combat  patrols;   thirty-five,   described  key 


Provided  by  Freedom  of  the  Press  Foundation 


1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 


UNOFFICIAL  DRAFT  -  6/11/13  Morning  Session 


leader  engagement;   thirty-six,   assessed  effectiveness 
of  local  outreach  programs;   thirty-seven,  detailed 
kidnapping  of  a  service  member;   and  thirty-eight, 
described  initiation  of  DUSTWUN  procedures . 

Sixteen.     Additionally,    I  reviewed 
documents  from  the  AR  15-6  investigation  into  a 
military  operation  that  occurred  in  Farah  province, 
Afghanistan  on  or  about  4  May  2009.     The  AR  15-6 
Investigation  into  the  Farah  incident  was  focused  on 
investigating  the  circumstances  surrounding  a 
large-scale  civilian  casualties,   CIVCAS,  incident. 
The  incident  occurred  in  Gharani,   which  is  a  village 
in  Farah  Province,  Afghanistan. 

The  documents  from  the  AR  15-6 
investigation  that  contained  J3  equities  are  located 
in  AE  501  and  that  have  the  Bates  numbers:  00377425- 
00377492, 00377496-00377498, 00377627-00377637, 
00377674-00377675,   and  00378029-00378081.  These 
documents  are  contained  within  PE  90  for  ID .  As 
noted  in  PE  90  for  ID,    I  found  that  these  documents 
contained  information  I  believed  to  be  sensitive 
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classified  because  they  reveal  operational 
activities,  weapons  systems,   and  code  words. 

Seventeen.     As  part  of  my  review  of  the 
Farah  documents,    I  reviewed  a  file  named  "BE22 
PAX. zip"  containing  a  video  named  "BE22  PAX.wmv" 
hereinafter  Gharani  video.     PE  66  for  ID  is  a 
CD  that  contains  both  files  I  reviewed.     The  Gharani 
video  depicts  portions  of  a  military  operation  in  the 
Farah  Province,   Afghanistan.     The  Gharani  video 
reveals  operational  code  words  associated  with  the 
mission.     The  video  also  reveals  operational 
activities  including  troop  movements  and  weapons 
systems.     Finally,   the  video  includes  specific 
information  contained  on  the  heads— up  display. 

Eighteen .     After  my  review  of  the  above 
referenced  documents  for  USCENTCOM  J3  equities,  I 
Forwarded  my  conclusions  and  recommendations  to 
Deputy  Commander,   USCENTCOM,   an  Original 
Classification  Authority,    for  his  final  determination 
as  to  whether  the  information  is  properly  classified. 

Your  Honor,   the  United  States  moves  to 
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admit,  prosecution  exhibits  88  and  89  for 
identification  as  prosecution  exhibits  88  and  89. 

MR.   HURLEY:     No  objection,  ma'am. 

THE  COURT:     All  right.     Prosecution  exhibits 
88  and  89  are  admitted.     May  I  see  them,  please? 

Plaintiff's  exhibits  88  and  89  are  admitted. 

MR.   FEIN:     Ma'am,   the  United  States  moves  to 
admit  prosecution  exhibits  86  and  90  for  identification 
as  prosecution  exhibits  86  and  90. 

MR.   HURLEY:     No  objection,  ma'am. 

THE  COURT:     All  right.     Prosecution  exhibits 
86  and  90  are  admitted. 

MR.   Von  ELTEN:     Your  Honor,    I  have 
prosecution  exhibit  of  Mr .   Jacob  Grant . 

THE  COURT:     That's  106? 

MR.   Von  ELTEN:     Yes,  ma'am. 

THE  COURT:  Proceed. 

MR.   Von  ELTEN:      It  is  hereby  agreed  by  the 
accused,   defense  counsel  and  trial  counsel  that  if  Mr. 
Jacob  Grant  were  present  to  testify  during  the  merits  and 
pre-sentencing  phases  of  this  court-martial,   he  would 
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testify  substantially  as  follows : 

One.     I  currently  serve  as  Contract  Task  Lead 
for  CCJ6,   assigned  to  the  Active  Cyber  Defense  Branch  at 
U . S  Central  Command ' s  Headquarters  USCENTCOM  on  MacDill 
Air  Force  Base  in  Florida.      In  this  capacity,    I  am 
responsible  for  conducting  various  levels  of  cyber 
operations  for  USCENTCOM  and  Overseas  Areas  of 
Responsibility  including  computer  network  defense 
activities,   computer  network  attack  planning  and 
analysis,   and  the  analysis  and  reverse  engineering  of 
computer  network  exploitation  activities  in  order  develop 
effective  countermeasures . 

I  am  the  lead  for  our  "in-house"  Computer 
Emergency  Response  Team,   CERT.   In  this  capacity,  I 
perform  in-depth  forensic  analysis  of  CND  alerts,  flow 
analysis,   or  interpretation  of  threat  information  to 
include  security  compromises,   network  intrusions,  and 
malicious  logic  outbreaks .     I  have  held  this  position  for 
four  and  a  half  years .     At  the  time  of  my  involvement  in 
this  case,    I  was  the  Senior  INFOSEC  Analyst  with  the 
Information  Assurance  Branch  of  the  J6  USCENTCOM.      I  have 
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also  been  an  IA  watch  officer,   a  senior  analyst.,   and  a 
senior  engineer.     I  served  for  two  years  as  an  enlisted 
airman  working  in  technical  control  and  network 
engineering . 

Two.      I  am  a  certified  information  systems 
security  professional,   CISSP,    2008.      I  have  a  Top 
Secret/SCI  security  clearance.     I  have  associate 
degrees  in  Electronic  Systems  Technology  and 
Avionics  Systems  Technology.     I  am  a  Cisco  Certified 
Network  Associate,   CCNA,    2003,   and  a  CORE  Impact 
Certified  Professional,   CICP,    2013.     Some  of  the 
network  security  and  associated  training  I  have 
received  includes :     McAfee  Network  Security  Platform 
Administration,   2013;   ArcSight  ESM  Use  Case 
Foundations,    2012;   EnCase  Computer  Forensics  1,  2012; 
Arc  Sight  Logger  5.0  Administration  and  Operations, 
2011;   Basic  Malware  Analysis  Using  Responder 
Professional,    2010;   Ethical  Hacking,    2008;  McAfee 
Host— Based  Security  Systems,    2007;  Information 
Technology  Service  Management,    ITSM,    2007;   and  Cisco 
Securing  Networks  w/  PIX  &  ASA,    SNPA,  2007. 
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Three .     I  became  involved  in  this  case 
for  two  reasons.     From  19-20  August  2010,    I  was 
involved  in  the  collection  and  transfer  of  audit  logs 
from  the  USCENTCOM  SharePoint  on  the  USCENTCOM 
SIPRNET  web  server.     At  this  time,    I  was  also 
involved  in  the  identification,    collection,  and 
transfer  of  information  housed  within  that  SharePoint 
site.     Our  collection  focused  on  the  SharePoint 
because  I  had  identified  it  as  the  location  of 
charged  documents  based  upon  the  SIPRNET  web  page 
address  of  those  documents. 

Further,  Special  Agent  John  Wilbur,  with 
whom  I  was  working,  was  interested  in  the  contents  of 
the  USCENTCOM  JAG  folder. 

Four.     The  USCENTCOM  SharePoint  server  is 
a  tool  to  create  an  internet  interface  that  allows 
users  with  access  to  the  site  on  SIPRNET  to 
collaborate,   for  example,   by  sharing  files.  The 
SharePoint  itself  is  only  accessible  via  SIPRNET,  so 
a  user  must  access  it  via  secure  systems .     At  that 
time,   it  was  identified  at  IP  addresses 
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131.240.47.23,    for  the  SharePoint  database  cluster, 
131.240.47.6,   and  131.240.47.7,    for  the  web  portal 
front  end  or  the  portion  accessible  by  SIPRNET  users. 
The  database  as  a  whole  occupied  several  terabytes  of 
space.     The  server  supporting  it,    from  which  I  pulled 
the  logs  and  other  information  at  issue,  is 
physically  housed  on  virtual  machines  within  a 
cluster,   in  a  data  center,   on  a  storage  area  network. 
Only  authorized  USCENTCOM  Headquarters  J-6  personnel 
are  granted  access  to  the  facility.     The  data  center 
is  protected  by  badge  access,   cipher  locks,  video 
surveillance,   and  an  access  roster. 

Five .     The  audit  logs  I  referenced  herein 
are  Internet  Information  Systems,    IIS,   or  Windows 
server  log  files,   which  capture  the  IP  address  of  the 
USCENTCOM  SharePoint  server.     The  logs  do  not  capture 
any  remote  or  external  IP  addresses.     The  logs  only 
capture  the  dates  and  times  documents  are  accessed  on 
the  SharePoint  server,   as  well  as  related  activity  on 
the  SharePoint  server . 

Six.     For  collection  as  evidence  by  SA 
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Wilbur,   these  logs  were  pulled  by  the  internet  server 
maintenance  team.     I  know  this  because  I  was  there 
when  they  retrieved  the  information.     These  logs 
saved  in  a  standard  text  file,   or  .txt  format.  I 
burned  these  logs  onto  a  hard  drive  and  also  onto  a 
DVD .     I  know  these  devices  were  clean  of  data  because 
I  personally  wiped  all  information  from  the  hard 
drive  and  laptop,   and  created  the  image  for  the  hard 
drive  on  which  the  logs  were  burned.     Further,  I 
performed  a  hash  value  match  to  verify  that  the  logs 
provided  were  saved  accurately  onto  the  disk .  The 
DVD  was  red.    I  marked  it  with  the  title  CIE 
underscore  USR  underscore  DATA.     This  DVD  contained 
the  files  CENTCOM  underscore  CIE  underscore 
SharePoint  dash  HASH  underscore  MDSSHAl.pdf, 
CENTCOMHQ  underscore  CIE  underscore  SharePoint  dash 
HASH  underscore  MDSSHAl.txt,   webl.zip,   and  web2.zip. 

The  first  two  files  contain  the  hash 
value  information  validating  the  accuracy  of  the  log 
information  collected.     Webl.zip  contained  the  web 
log  data  from  1  December  2009  until  30  July  2010, 
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pertaining  to  the  USCENTCOM  server  assigned  IP 
address  131.240.47.6.     Web2.zip  contained  web  log 
data  from  1  April  2010  until  30  July  2010,  pertaining 
to  the  USCENTCOM  server  assigned  to  IP  address 
131.240.47.7.     Prosecution  Exhibit  108  for 
Identification  are  these  SharePoint  server  logs . 

Seven.     After  burning  the  log  information 
to  the  DVD,    I  signed  the  evidence  to  SA  Wilbur  using 
the  provided  DA  Form  4137  Evidence  Property  Custody 
Document.     The  disk  was  recorded  on  a  DA  Form  4137 
labeled  as  document  number  122-10.     I  recognize  this 
as  Bates  number  00411111.     I  know  this  because  I 
signed  that  form  and  recognize  my  signature  on  it.  I 
would  recognize  the  evidence  itself  because  I  wrote 
the  label  on  the  disk  and  burned  it .     I  did  not  alter 
the  information  or  the  devices  on  which  it  was  housed 
in  any  way. 

Eight .     The  information  housed  on  the 
SharePoint  server,  mentioned  previously,   was  accessed 
via  SIPRNET  and  located  in  the  JAG  folder  on  the 
USCENTCOM  SharePoint  page.     We  collected  this 
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information  for  two  reasons.     First,    collecting  this 
information  shows  what  content  was  originally 
available  on  the  USCENTCOM  server  to  SIPRNET  users. 
Second,   this  information  helps  put  the  log  data  we 
collected  into  context . 

Nine .      I  assisted  SA  Wilbur  in  collecting 
this  information  from  the  SharePoint  server.  To 
retrieve  it,   we  used  two  blank  CCIU  SATA  hard  drives. 
I  know  these  are  clear  hard  drives  because,  in 
accordance  with  USCENTCOM  policy,    I  scanned  them  for 
malware  and  viruses  before  they  were  used  to  gather 
the  evidence.     Having  found  none,    I  knew  they  were 
suitable  for  evidence  collection.     To  collect  this 
information,   we  also  used  an  approved  CCIU  laptop.  I 
hooked  this  laptop  to  the  SIPRNET  using  a  CCIU-issued 
USB  cable  and  drive  dock.     We  then  connected  the 
previously  scanned  hard  drive  to  the  laptop.  SA 
Wilbur  used  that  connection  to  recover  the 
information  at  issue. 

Ma'am,   the  United  States  moves  to  admit 
prosecution  exhibit  108  for  identification  as 
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prosecution  exhibit  108. 

MR.   HURLEY:     No  objection,  ma'am. 

THE  COURT:     All  right.     May  I  see  it,  please? 

MR.   Von  ELTEN:     Your  Honor,    if  we  may  mark 
this  for  the  next  recess . 

THE  COURT:     That's  fine. 

MR.   Von  ELTEN:     Your  Honor,    I  have 
prosecution  exhibit  72  which  is  the  stipulated  expected 
testimony  of  special  agent  John  Wilbur. 

THE  COURT:  Proceed. 

MR.   Von  ELTEN:      It  is  hereby  agreed  by  the 
Accused,   Defense  Counsel,   and  Trial  Counsel,   that  if 
Special  Agent  John  Wilbur  were  present  to  testify  during 
the  merits  and  pre-sentencing  phases  of  this 
court-martial,   he  would  testify  substantially  as  follows: 

One .      I  am  currently  the  senior  Special  Agent 
at  the  computer  forensic  unit  in  the  office  of  the 
Special  Inspector  General  for  the  Troubled  Asset 
Relief  Program,   TARP,   at  the  Treasury  Department.  In 
this  position,   I  collect  and  examine  digital  evidence 
to  support  criminal  investigations .      I  have  held  this 
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position  since  January  of  2012.     Previously,    I  was  an 
SA  for  the  Department  of  the  Army ' s  Criminal 
Investigation  Command,   CID,   Computer  Crimes  and 
Investigative  Unit,   CCIU.      I  held  that  position  from 
June  of  2010  to  January  of  2012.     As  a  CCIU  SA,  I 
investigated  the  unauthorized  exfiltration  of 
classified  and  sensitive  data  and  the  loss  of 
personally  identifiable  information,   PII,  data 
worldwide .      I  also  investigated  intrusions  into 
Army  computer  systems .      I  currently  have  over  twenty 
years  of  law  enforcement  experience,   fifteen  of  which 
have  been  primarily  devoted  to  conducting  complex 
criminal  and  administrative  cyber-related 
investigations . 

Two .      I  have  had  substantial  training  to 
qualify  me  for  my  position.      I  received  Department  of 
State  law  enforcement  training  in  2005,   CID  law 
enforcement  training  in  2002,   and  Police  Officer 
Training  in  1990.      In  addition  to  the 

evidence-handling  training  included  in  these  courses, 
I  also  attended  the  Advanced  Crime  Scene 
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Investigations  course  at  the  Federal  Law  Enforcement 
Training  Center  in  Glynco,   Georgia,   May  2008. 

At  the  time  of  my  involvement  in  this 
Investigation,  my  cyber  security  and  forensic 
evidence  experience  was  extensive .     Among  other 
courses,    I  had  attended  multiple  courses  put  on  by 
Guidance  Software,   the  makers  of  the  EnCase  forensic 
tool;    I  had  attended  the  Seized  Computer  Evidence 
Recovery  Specialist  Certification  Course,  October 

2001,  at  the  Federal  Law  Enforcement  Training  Center; 
and  I  had  attended  FT210,   Windows  Forensic 
Examinations  through  the  Defense  Cyber  Investigations 
Training  Academy,   DCITA.     Further,    I  had  obtained 
training  in  Law  Enforcement  Technology,  April 

2002,  through  the  University  of  Pittsburgh;  Advanced 
Data  Recovery,   March  2001,   and  Basic  Data  Recovery, 
January  2000,   at  the  National  White  Collar  Crime 
Center;   Operational  Information  Security  I  and  II, 
July  2000,   at  the  Defense  Information  Security 
Agency;   and  Computer  Search  and  Seizure,    June  2000, 
through  the  FBI  Academy. 
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I  have  continued  to  develop  my  skills  and 
expertise .     I  have  attended  training  in  Windows  7 
Forensics  at  Access  Data,   December  2010,   the  Computer 
Incident  Response  Course,  April  2011,   and  a  course  on 
Introduction  to  Networks  and  Computer  Hardware, 
December  2010,   through  DCITA. 

Three .     My  role  in  this  case  was  to 
assist  in  witness  interviewing  and  data  collection. 
I  collected  evidence  from  the  United  States  Central 
Command  USCENTCOM  server  and  from  the  Department  of 
State  server . 

In  collecting  the  USCENTCOM  materials,  I 
worked  with  Mr.   Jacob  Grant  to  collect  both  the 
server  logs  as  well  as  information  from  a  particular 
folder . 

Four .     When  collecting  and  handling 
evidence,    I  follow  several  general  procedures.  After 
collection,   I  review  the  evidence  property  custody 
document  for  the  appropriate  information .      I  fill  out 
the  date,   time,  place  of  collection  and  describe  the 
evidence  collected.     I  record,   for  example,  serial 
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numbers,   markings  for  identification,   and  condition 
description  matching  the  associated  evidence . 
Further,    I  ensure  that  the  necessary  information, 
such  as  date  and  time,   are  properly  and  accurately 
recorded. 

Lastly,    I  maintain  secure  custody  of  the 
evidence  prior  to  transferring  it  to  another 
individual .      In  addition  to  following  these 
procedures,   when  transferring  to  or  receiving 
evidence  from  another  person,    I  am  also  sure  to 
properly  sign,   date,   and  note  the  reason  for  the 
transfer . 

Five.     From  the  USCENTCOM  server,  Mr. 
Grant  and  I  collected  information  from  the 
USCENTCOM  SharePoint  site  as  well  as  the  audit  logs 
which  track  access  to  the  site.     I  was  interested  in 
this  information  so  that  investigators  could  compare 
compromised  information  regarding  the  Farah 
investigation  to  information  on  the  USCENTCOM  server, 
and  so  that  investigators  could  identify  computers 
which  were  used  to  retrieve  potentially  compromised 
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material.     Before  Mr.   Grant  or  I  accessed,  imaged, 
searched  for,   or  extracted  any  information,   we  needed 
special  authorization  from  MG  Jones,   Chief  of  Staff, 
USCENTCOM.     CCIU  forwarded  a  formal  written  request 
through  the  Office  of  the  Staff  Judge  Advocate  to  the 
USCENTCOM  J6  requesting  release  of  this  evidence  on  9 
August  2010.     This  request  was  approved  on  19  August 
2010.     The  same  day,    I  worked  with  Mr.   Grant  to 
prepare  for  evidence  collection  by  getting  in  order 
the  equipment  we  would  need  for  collection.  Mr. 
Grant  ensured  that  the  laptop,   hard  drive,   and  cables 
we  would  need  were  clean  of  any  data  and  ready  for 
use . 

Six.     The  following  day,   Mr.  Grant 
collected  from  the  J6  shop  a  DVD  containing  the  audit 
logs  for  the  USCENTCOM  SharePoint  server.     The  logs 
show,   among  other  things,   the  date  and  time  USCENTCOM 
documents  were  accessed  on  the  SharePoint  server, 
from  December  2009  until  August  2010.     On  20  August 
2010,   he  signed  that  evidence  over  to  me.     I  took 
possession  using  the  evidence  handling  procedures  I 
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describe  herein  including,   but  not  limited  to, 
documenting  it  on  an  Evidence  Property  Custody 
Document  DA  Form  4137,   labeled  as  document  number 
122-10,   Bates  number  00411111.     Later  that  same  day, 
I  properly  signed  that  evidence  over  to  the  CCIU 
Evidence  Custodian,   Ms.   Tamara  Mairena.     At  no  point 
did  I  alter  the  DVD  or  its  contents.      I  have  no 
reason  to  believe  it  suffered  damage  or  contamination 
in  any  way. 

Seven.      In  addition  to  collecting  the 
logs,    I  worked  further  with  Mr.   Grant  to  access  and 
collect  information  from  the  USCENTCOM  SharePoint 
collaboration  space  on  the  USCENTCOM  server. 
SharePoint  is  a  tool  produced  by  the  Microsoft 
Corporation  to  create  an  internet  interface  which 
allows  users  with  access  to  a  SIPRNET  website  to 
collaborate,   for  example,   by  sharing  files.  The 
USCENTCOM  SharePoint  itself  is  only  accessible  via 
SIPRNET,    so  a  user  must  access  it  via  secure  systems 
and  a  proper  security  clearance .     The  server 
supporting  it,    from  which  Mr.   Grant  pulled  the  logs, 
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is  on  virtual  machines  within  a  cluster,    in  a  data 
center,   on  a  storage  area  network  Only  authorized 
USCENTCOM  headquarters  J6  personnel  are  granted 
access  to  the  facility.     The  data  center  is  protected 
by  badge  access,   cipher  locks,  video  surveillance, 
and  an  access  roster.     This  information  was  located 
on  SIPRNET  in  the  JAG  folder  on  the  USCENTCOM 
SharePoint  page.     Mr.   Grant  assisted  me  in  locating 
it  on  the  system.     We  sat  at  his  workstation  to  pull 
the  folder  contents .     We  knew  where  to  focus  our 
search  based  on  Mr.   Grant's  SIPRNET  web  page  address 
identifications  of  the  information  at  issue  and 
because  investigators  in  the  case  had  cause  to 
suspect  the  charged  information  was  housed  in  the 
USCENTCOM  JAG  folder. 

In  consultation  with  investigating 
forensic  examiner  SA  Dave  Shaver,   we  determined  the 
most  forensically  sound  way  to  collect  the  Farah 
information  itself,   as  well  as  information  about  how 
it  was  accessible  on  SharePoint,   was  to  navigate 
through  the  series  of  digital  folders  to  download  the 
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Farah  file  itself.     As  we  navigated  through  the 
folder  structure  on  the  SharePoint  server,   we  took 
screenshots  of  the  contents  of  each  folder  before  we 
entered  the  subsequent  folder.     A  screenshot  is  the 
process  of  obtaining  a  digital  copy  of  the  computer 
screen,   similar  to  a  photograph. 

Eight.     During  the  morning  of  20  August 
2010,    I  connected,  via  a  USB  cable,   a  CCIU-issued 
Voyager  drive  dock  to  the  laptop  which  accessed  the 
SharePoint  server  via  a  USB  cable.     I  connected  a 
400GB  Seagate  Barracuda,    SATA  hard  drive,  serial 
number  3NFODYJI,   to  the  laptop  using  the  drive  dock 
and  assigned  that  drive  the  letter  X.  Using 
Microsoft's  Internet  Explorer,    I  navigated  to  the 
SIPRNET  web  page  www.nonrel.cie.centcom.smil.mil. 
From  this  screen,    I  clicked  on  the  Organization  link. 
I  created  a  screen  capture  of  this  page  and  saved  it 
in  a  folder  in  the  Desktop  Directory  called  screen 
shots.     From  this  screen,    I  clicked  on  the 
Special  Staff  link.     I  created  a  screen  capture  of 
this  page  and  saved  it  in  the  screen  shots  folder. 
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From  this  screen,    I  clicked  on  the  Judge  Advocate 
link.     I  created  a  screen  capture  of  this  page  and 
saved  it  in  the  screen  shots  folder.     From  this 
screen,    I  clicked  on  the  JA  Document  Page  link.  I 
created  a  screen  capture  of  this  page  and  saved  it  in 
the  screen  shots  folder.     From  this  screen,    I  clicked 
on  the  folder  icon  Investigations .     I  created  a 
screen  capture  of  this  page  and  saved  it  in  the 
screen  shots  folder.     From  this  screen,    I  clicked  on 
the  folder  icon  Farah.     I  created  a  screen  capture  of 
this  page  and  saved  it  in  the  screen  shots  folder. 
The  folder  Farah  contained  the  following  sub-folders : 
Admin  Material,   Briefs,   Email,    Investigations  Tabs, 
Repotis  and  EXSUMs,   Timelines,   and  Videos.  I 
navigated  to  each  of  the  sub-folders  and  created  a 
screen  capture  for  each  page  then  saved  it  in  the 
screen  shots  folder.     The  screen  shots  showed  how  the 
SharePoint  portal  was  arranged  and  the  path  to  the 
Farah  folder . 

Nine .     Prosecution  Exhibit  65  for 
identification  is  a  computer  printout  that  shows  the 
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file  names  and  their  associated  paths  that  we 
navigated.      It  is  a  printout  of  a  directory  listing 
showing  the  filenames  of  each  file  and  folder 
contained  within  the  Farah  folder  on  the  USCENTCOM 
Server  with  individual  line  numbers  printed  to  the 
left  of  the  listing.      It  lists  the  first  level  of 
subf older s  within  the  Farah  folder  alphabetically, 
and  then  lists  the  filenames  of  the  first  subf older. 
The  document  continues  this  process  of  listing 
subfolder  names  recursively,   until  all  files  and 
their  filenames  in  all  subfolders  have  been  listed. 

Ten.     Later  in  the  day  on  20  August  2010, 
I  recreated  the  folder  Farah  on  the  Desktop  Directory 
of  the  laptop  and  included  all  of  the  subfolders  that 
resided  in  the  Farah  folder.     I  then  downloaded  each 
individual  file  contained  in  the  folder  Farah  into 
the  same  location  inside  the  recreated  Farah  folder 
on  the  Desktop  Directory  of  the  laptop  computer. 
After  verifying  that  all  of  the  files  downloaded 
correctly,    I  installed  EnCase  version  6.14.3  on  the 
laptop  computer.     Using  EnCase,    I  created  a  logical 
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evidence  file  of  the  folder  Farah  and  all  of  its 
sub-folders.     The  logical  evidence  file  was  named 
JA-Investigations-Farah  Folder. LOI.     An  MD5  hash  of 
4  6ell229a5d678cabf 9c3fa6839f 662c  was  obtained  and 
recorded.     The  logical  evidence  file  of  the  folder 
Farah  was  placed  in  a  folder  named  EnCase  on  the  root 
of  the  X  drive  connected  to  the  laptop.     I  also 
copied  the  recreated  Farah  folder  and  all  of  the 
sub— folders  and  placed  them  onto  the  root  of  the  X 
drive.     Subsequently,   the  folder  Screen  Shots  was 
then  copied  and  placed  on  the  root  of  the  X  drive  as 
well . 

Eleven.     When  beginning  the  process  of 
navigating  through  the  JAG  folder  to  obtain  the  Farah 
contents,    I  was  not  required  to  enter  any  login  or 
password  window  on  the  main  page .     I  was  able  to 
navigate  to  any  page  and  access  all  folders  and 
documents  in  the  document  library,   including  the  SJA 
Investigations  folder  and  the  Farah  folder  without 
ever  entering  any  authentication  or  credential 
information.      In  the  Farah  folder,   all  of  the  video 
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files  were  password  protected,    including  a  file  named 
BE22  PAX. zip  containing  a  video  named  BE22  PAX.wmv. 
We  therefore  also  requested  and  received  the  password 
to  unlock  the  file  named  BE22  PAX. zip  and  the  other 
videos  from  USCENTCOM.     PE  66  for  Identification  is  a 
CD  containing  the  file  named  BE22  PAX. zip  and  the 
video  file  named  BE22  PAX.wmv.     PE  67  for 
Identification  contains  the  password  for  the  file 
named  BE22  PAX. zip  which  I  received  from  USCENTCOM. 

Twelve.     Later  on  20  August  2010,  I 
connected  a  second  400GB  Seagate  Barracuda,    SATA  hard 
drive,    serial  number  3NFOHTG4 ,   to  the  laptop  using 
the  drive  dock  and  assigned  that  drive  the  letter  Y. 
I  then  recreated  the  process  a  second  time  placing 
the  folder  EnCase,   containing  the  EnCase  logical 
evidence  file  for  the  folder  Farah,   the  recreated 
folder  Farah,   and  the  folder  Screen  Shots  onto  the 
root  of  the  Y  drive .     The  second  evidence  drive  was 
created  as  a  backup  in  case  the  first  evidence  drive 
suffered  a  failure. 

Thirteen .     I  later  collected  as  evidence 
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two  SATA  hard  drives .     These  SATA  hard  drives  each 
contained  images  of  three  folders,   EnCase,   Farah,  and 
Screen  Shots,    copied  from  the  USCENTCOM  SharePoint 
server  IP  address  131.240.47.23,   which  was  documented 
on  Evidence  Property  Custody  Document,  Document 
Number  123-10,   identified  at  Bates  number  00411113. 
In  processing  this  material,    I  handled  and 
transferred  the  evidence  as  I  have  been  trained.  At 
no  point  did  I  alter  any  evidence  I  collected.  I 
have  no  reason  to  believe  this  evidence  was 
contaminated  or  damaged  in  any  way.     On  20  August 
2010,    I  properly  signed  this  evidence  over  to  Ms. 
Tamara  Mairena,   the  CCIU  Evidence  Custodian.      I  did 
not  touch  this  evidence  again. 

Fourteen.     Finally,    I  took  possession  of 
firewall  logs  from  the  Department  of  State  from  SA 
Ron  Rock.      I  took  possession  of  this  evidence  on  15 
October  2010.     He  provided  this  information  on  a 
silver  CD  marked  with  the  words  WikiLeaks  DoS 
Firewall  Logs  13  October  2010.     The  CD  had  a  red 
U.S.   Government  Secret  sticker  on  it .      I  recognize  it 
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as  an  official  sticker  because  I  have  handled 
classified  information  before.     I  handled  this 
evidence  consistent  with  procedures  as  I  have  been 
trained  and  previously  described. 

Upon  taking  custody,   I  checked  to  ensure 
the  evidence  I  was  receiving  matched  the  description 
on  the  DA  Form  4137,    labeled  as  DN  151-10, 
Item  I,   identified  at  Bates  number  00411151.  I 
checked  the  date,   time,   and  other  collection 
information.     And  finally,    I  signed  in  the  Received 
By  column.     While  in  possession  of  this  evidence,  I 
maintained  positive  control .      I  did  not  alter  the 
information  on  the  CD .      I  have  no  reason  to  believe 
this  evidence  was  damaged  or  contaminated  in  any  way . 
On  18  October  2010,    I  properly  signed  this  evidence 
over  to  Ms.  Mairena,   the  CCIU  evidence  custodian.  I 
did  not  touch  this  evidence  again.     PE  68  for 
identification  is  DN  151-10,    Item  1. 

And  the  United  States  moves  to  admit 
prosecution  exhibits  65,    67  and  68  for  identification 
as  prosecution  exhibits  65,    67  and  68  respectively. 
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MR.   TOOMAN:     No  objection. 

THE  COURT:     May  I  see  them,  please? 

Prosecution  exhibits  67  for  identification  is 

admitted. 

Counsel,    I  have  prosecution  exhibit  67,   but  I 
have  a  CD  and  it  says  66. 

MR.   FEIN:      66  has  already  been  admitted, 

ma  'am. 

THE  COURT:      I  know,   but  there's  nothing  in 

67. 

MR.   FEIN:      I  will  retrieve  those  two  exhibits 
from  the  court  reporter. 

Ma ' am,   there  is  a  document  marked  in  this 
folder.     There  is  a  single  page  document  that  accompanies 
the  CD. 

THE  COURT:     And  prosecution  exhibit  68  is 
admitted.     67  is  admitted. 

Now,    I  have  44  here,   is  that  another  one 

that  — 

MR.   FEIN:     No,  ma'am. 

Ma ' am,   also  we  have  found  in  the  bag 
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prosecution  exhibit.  108  earlier  that,  was  to  be  marked 
prior  to  the  recess . 

THE  COURT:     Prosecution  exhibit  108  is 

admitted. 

I'm  looking  at  the  time.     How  do  the  parties 
want  to  proceed? 

MR.   FEIN:     Ma'am,   the  United  States 
recommends  we  take  our  lunch  recess . 

THE  COURT :     All  right .     How  long  would  you 

like? 

MR.   FEIN:     Hour  and  15  minutes,  ma'am. 
THE  COURT:     All  right. 

MR.   FEIN:     We're  also  trying  to  set  up  a 
phone  call  for  the  defense  to  talk  to  an  certain  witness . 
If  that  happens,   we  might  ask  for  more  time  during  the 
recess . 

THE  COURT:     What  do  you  think  the  likelihood 
of  success  is  in  that?     Do  you  just  want  to  make  it  1:30? 

MR.   COOMBS:     No  objection  to  that,  ma'am. 
THE  COURT:     Court  is  recessed  until  1:30. 
(LUNCH  RECESS. ) 
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